My plan for libvorbis towards Jessie

[Petter Reinholdtsen]

[Ralph Giles]
> But you didn't say what symbol the type change occured on. Could you
> have been mistaken?

Sure, I could be mistaken, it is just a worry on my part.  To me a
header file with a type change is a warning sign, not a conclusion.
And I did not have time to investigate, so I raised the question and
did not go any further with the upload.  And as you will see below, I
conclude that my worries were without foundation. :)

> I've just diff'd include/vorbis/*.h between the libvorbis_1.3.2-2
> source package and a checkout of upstream trunk and there are no
> differences at all.

I did a similar thing (comparing the libvorbis-dev packages between
versions) and I agree.  There is no user visible API change, and most
likely not a user visible ABI change.

> Perhaps you saw the codebook change? That's internal to the library.
> https://git.xiph.org/?p=mirrors/vorbis.git;a=commitdiff;h=7874c923e2c3548aedf24ab07d2695e7d344bdf1

Yes, that is the one I saw.

>> Is there some way to rule out ABI changes in the new version?
> 
> I linked earlier to
> http://upstream-tracker.org/versions/libvorbis.html which is a site
> that tracks ABI changes. It shows no differences since 1.3.2, and
> there only the const-ification of the strings passed to the vorbisfile
> entry points, which is safe.

Right.  After having time to look at the issue in more detail, I am
convinced that it _is_ safe to upload the new version, and will move
ahead with that tonight.

>> Which security fixes are currently missing in unstable?
> 
> I don't remember in detail. I think the last major one was
> https://git.xiph.org/?p=mirrors/vorbis.git;a=commit;h=47156649a659381d5b90b82241bf43b32ff3cd98
> 
> I see a patch for floor1 overflow, but not floor0.
> 
> The codebook change was for memory footprint, I think.

Thank you for the information.  It has been most valuable.

-- 
Happy hacking
Petter Reinholdtsen