[Pkg-chromium-maint] Bug#763632: chromium: use system FFmpeg instead of embedded code copy

Wed Oct 1 14:17:09 UTC 2014

Package: chromium
Version: 37.0.2062.120-2
Severity: important
Tags: security, patch

Dear Maintainer,

chromium uses an embedded code copy of FFmpeg (third_party/ffmpeg in the 
source directory) to compile libffmpegsumo.so, which is included in the 
chromium binary package.

This is not allowed by Debian policy § 4.13 [1]:
"Debian packages should not make use of these convenience copies unless 
the included package is explicitly intended to be used in this way.
If the included code is already in the Debian archive in the form of a 
library, the Debian packaging should ensure that binary packages 
reference the libraries already in Debian and the convenience copy is 
not used. If the included code is not already in Debian, it should be 
packaged separately as a prerequisite if possible."

As system FFmpeg libraries are now available, chromium should use them 
instead of the embedded FFmpeg copy, because it makes fixing security 
bugs easier.

Attached patch changes chromium's Debian packaging to use the system 
libraries, including some patches to make this work:
  * fix_for_system_ffmpeg.patch: Fixes a conceptual bug that made it
    impossible to use the system FFmpeg libraries.
  * ffmpeg_2.4.patch: Adapts chromium to the API differences between the
    embedded copy and FFmpeg 2.4.
  * fix_for_system_ffmpeg_ABI.patch: Fixes the ABI used by chromium to
    match the system FFmpeg ABI.

Please apply this patch as soon as possible, because the freeze is 
coming closer.

Best regards,
Andreas

1: https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chromium-browser_system-ffmpeg.patch
Type: text/x-diff
Size: 22872 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20141001/a20ead4a/attachment.patch>