[Pkg-chromium-maint] Bug#763632: chromium: use system FFmpeg instead of embedded code copy
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Wed Oct 1 15:21:05 UTC 2014
Hi Sebastian,
On 01.10.2014 16:32, Sebastian Ramacher wrote:
> On 2014-10-01 16:17:09, Andreas Cadhalpun wrote:
>> Package: chromium
>> Version: 37.0.2062.120-2
>> Severity: important
>> Tags: security, patch
>>
>> Dear Maintainer,
>>
>> chromium uses an embedded code copy of FFmpeg (third_party/ffmpeg in the
>> source directory) to compile libffmpegsumo.so, which is included in the
>> chromium binary package.
>>
>> This is not allowed by Debian policy § 4.13 [1]:
>> "Debian packages should not make use of these convenience copies unless the
>> included package is explicitly intended to be used in this way.
>> If the included code is already in the Debian archive in the form of a
>> library, the Debian packaging should ensure that binary packages reference
>> the libraries already in Debian and the convenience copy is not used. If the
>> included code is not already in Debian, it should be packaged separately as
>> a prerequisite if possible."
>>
>> As system FFmpeg libraries are now available, chromium should use them
>> instead of the embedded FFmpeg copy, because it makes fixing security bugs
>> easier.
>>
>> Attached patch changes chromium's Debian packaging to use the system
>> libraries, including some patches to make this work:
>> * fix_for_system_ffmpeg.patch: Fixes a conceptual bug that made it
>> impossible to use the system FFmpeg libraries.
>> * ffmpeg_2.4.patch: Adapts chromium to the API differences between the
>> embedded copy and FFmpeg 2.4.
>> * fix_for_system_ffmpeg_ABI.patch: Fixes the ABI used by chromium to
>> match the system FFmpeg ABI.
>>
>> Please apply this patch as soon as possible, because the freeze is coming
>> closer.
>
> You might want to add here that ffmpeg is blocked from entering testing. See
> #763148 and the blocks from Julien Cristau and Niels Thykier.
I'm pretty sure that the maintainer of chromium, Michael Gilbert, knows
this very well, because he is a member of the security team and thus was
CC'ed on the complete discussion with the release team. So he also knows
about the suggestion of the release team member Andreas Barth to replace
the internal code copy in chromium by a reference to FFmpeg and that the
possibility of this probably leads to a re-evalutation of the migration
block [1].
Best regards,
Andreas
1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763148#27
More information about the Pkg-chromium-maint
mailing list