On Thu, Sep 30, 2010 at 01:29:38PM -0400, Gregory Maxwell wrote: > > I yelled pretty loudly when Fedora first packaged libvpx because > fedora took a _known vulnerable_ version which Mozilla and opera were > patching around but where the upstream hadn't yet merged the fixes. > > Things are more mature now but there are still somewhat scary fixes > happening, at least with the platform dependant code: > https://review.webmproject.org/#change,603 > > > Mozilla being a vector for the widescale exploitation would be > terrible for their imageâ and also terrible for Fedora's, we really > don't want to create our own version of the debian openssl rng bug. > There really is a common interest here and the folks on the Mozilla > side are better informed about the risks. > > The patches mozilla is carrying are visible as files in the respective > directories here: > http://mxr.mozilla.org/mozilla-central/source/media/ > > I'd suggest that fedora folks interested in the bundling help by > making sure that the applicable fixes make it upstream. Even if Fedora > were to ditch the trademarks you couldn't escape doing this work. > Note that even without unbundling we have to do this work anyway -- but we have to do it (or at least verify that it's done) twice, once in libvpx and once in firefox. It sounds from your post that one problem is that the libvpx maintainer has a volatile code base with multiple sources to pull code from but is only paying attention to a subset of those. -Toshio
Attachment:
pgpIMUfZhM2NZ.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
