[FFmpeg-devel] Reintroducing FFmpeg to Debian

Russ Allbery rra at debian.org
Sat Aug 16 20:59:20 CEST 2014


Ivan Kalvachev <ikalvachev at gmail.com> writes:

> I'm quite sure the Security team is full of capable people who can
> handle one more package.

One, no, this statement is not correct.  Not because the security team is
not capable -- they are very capable -- but because they are not *full*.
You imply that the security team has tons of resources and time to spare.
Let me assure you that this is far from the case.  This isn't even the
case for security teams consisting of full-time staff paid by commercial
Linux distributions, let alone volunteers for the Debian project.

Two, the security team has already said that FFmpeg is not just "one more
package," and that no, they can't handle the substantial incremental load
from adding FFmpeg without removing libav.  You may not think that should
be the case, but I'm afraid your opinion on the topic doesn't matter
unless you're finding a way to either reduce that work or add more
resources.

> FFmpeg takes security seriously.

I'm sure that it does.

The problem, however, is that taking security seriously, while possibly
necessary, is not sufficient.  I'm glad that FFmpeg takes security
seriously, but what FFmpeg needs is to *have fewer security bugs*.

This isn't about anyone's good intentions.  It's about the reality of
past, very negative experience with FFmpeg's security track record.

It's clear that efforts are underway to improve that, such as through the
fuzz testing work that Google (among others) has been doing.  That's
great, but I'm sure you can also understand that the past track record has
been sufficiently bad that everyone will continue to be leery for a while.
To change that impression, FFmpeg is going to have to substantially
improve on its past security track record and then *maintain* that new
level of security for some period of time.

Note that all of the above statements also apply to libav.  As near as I
can tell, this is not a distinguishing characteristic between the two
projects.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>


More information about the ffmpeg-devel mailing list