On Wed, Oct 30, 2024 at 8:53 PM Troy Dawson <tdawson@xxxxxxxxxx> wrote: > > On Mon, Oct 21, 2024 at 8:49 AM Troy Dawson <tdawson@xxxxxxxxxx> wrote: >> >> On Mon, Oct 21, 2024 at 8:04 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: >>> >>> Hi all, >>> >>> There have been a number of releases of dav1d newer than the one >>> shipped in EPEL 9 right now, one of which include fixes for this CVE: >>> https://bugzilla.redhat.com/show_bug.cgi?id=2264940 >>> >>> Looking at upstream commit history, there seem to be other "security >>> fixes" that have just not been assigned a CVE number. I have looked >>> into backporting the fixes to the version currently in EPEL 9, but >>> it's 1) unclear which commits all need to be backported, and 2) some >>> changes aren't cleanly backportable, and 3) that would not cover >>> security fixes not associated with a CVE number. >>> >>> For this reason, I would like to build the version of dav1d that's >>> currently in Fedora 40+ and in EPEL 10 also for EPEL 9. This includes >>> one soname bump (since dav1d 1.3.0) due to an ABI change, which makes >>> this an incompatible update, but there were no actual API changes. >>> >>> Packages in the EPEL 9 repos that depend on dav1d that would need to be rebuilt: >>> >>> chromium: chromium >>> chromium: chromium-headless >>> ffmpeg: libavcodec-free >>> libavif0.10: libavif0.10 >>> libavif: libavif >>> libheif: libheif >>> vlc: vlc-plugins-base >>> xine-lib: xine-lib >>> >>> Fabio >> >> >> Thank you for following the Incompatible update process. >> >> Looking at things, I agree that updating is the best step forward. >> >> My only concern is that you will be rebuilding the "heavy hitters" dealing with web browsing, video and sound. >> If this gets approved, please be careful with those and try to communicate with their maintainers as much as possible. >> >> Troy >> > > This was brought up and approved at this weeks EPEL Steering Committee meeting. > You may now proceed with the next steps in the Incompatible Upgrade process. Thank you - I am starting to build things now, in epel9-build-side-99744. Fabio -- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
