[Pkg-chromium-maint] Bug#763632: chromium: use system FFmpeg instead of embedded code copy

Sebastian Ramacher sramacher at debian.org
Wed Oct 1 15:43:51 UTC 2014

On 2014-10-01 17:21:05, Andreas Cadhalpun wrote:
> Hi Sebastian,
> On 01.10.2014 16:32, Sebastian Ramacher wrote:
> >On 2014-10-01 16:17:09, Andreas Cadhalpun wrote:
> >>Package: chromium
> >>Version: 37.0.2062.120-2
> >>Severity: important
> >>Tags: security, patch
> >>
> >>Dear Maintainer,
> >>
> >>chromium uses an embedded code copy of FFmpeg (third_party/ffmpeg in the
> >>source directory) to compile libffmpegsumo.so, which is included in the
> >>chromium binary package.
> >>
> >>This is not allowed by Debian policy § 4.13 [1]:
> >>"Debian packages should not make use of these convenience copies unless the
> >>included package is explicitly intended to be used in this way.
> >>If the included code is already in the Debian archive in the form of a
> >>library, the Debian packaging should ensure that binary packages reference
> >>the libraries already in Debian and the convenience copy is not used. If the
> >>included code is not already in Debian, it should be packaged separately as
> >>a prerequisite if possible."
> >>
> >>As system FFmpeg libraries are now available, chromium should use them
> >>instead of the embedded FFmpeg copy, because it makes fixing security bugs
> >>easier.
> >>
> >>Attached patch changes chromium's Debian packaging to use the system
> >>libraries, including some patches to make this work:
> >>  * fix_for_system_ffmpeg.patch: Fixes a conceptual bug that made it
> >>    impossible to use the system FFmpeg libraries.
> >>  * ffmpeg_2.4.patch: Adapts chromium to the API differences between the
> >>    embedded copy and FFmpeg 2.4.
> >>  * fix_for_system_ffmpeg_ABI.patch: Fixes the ABI used by chromium to
> >>    match the system FFmpeg ABI.
> >>
> >>Please apply this patch as soon as possible, because the freeze is coming
> >>closer.
> >
> >You might want to add here that ffmpeg is blocked from entering testing. See
> >#763148 and the blocks from Julien Cristau and Niels Thykier.
> I'm pretty sure that the maintainer of chromium, Michael Gilbert, knows this
> very well, because he is a member of the security team and thus was CC'ed on
> the complete discussion with the release team. ...

I'm pretty sure that the Maintainers and Uploaders does list more people
than Michael and that there are more poeple reading bug reports.

Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20141001/e8f32473/attachment.sig>

More information about the Pkg-chromium-maint mailing list