From owner-svn-ports-head@freebsd.org  Mon May  9 17:23:20 2016
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DF67B34BAF
 for <svn-ports-head@mailman.ysv.freebsd.org>;
 Mon,  9 May 2016 17:23:20 +0000 (UTC)
 (envelope-from jbeich@vfemail.net)
Received: from vfemail.net (onethreetwo.vfemail.net [199.16.11.132])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 238C61B03
 for <svn-ports-head@freebsd.org>; Mon,  9 May 2016 17:23:19 +0000 (UTC)
 (envelope-from jbeich@vfemail.net)
Received: (qmail 17598 invoked by uid 89); 9 May 2016 17:23:13 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
 by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP;
 9 May 2016 17:23:12 -0000
Received: (qmail 71075 invoked by uid 89); 8 May 2016 10:39:25 -0000
Received: by simscan 1.3.1 ppid: 71068, pid: 71072, t: 0.0039s scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
 by FreeQueue with SMTP; 8 May 2016 10:39:25 -0000
Received: (qmail 2716 invoked by uid 89); 8 May 2016 10:39:25 -0000
Received: by simscan 1.4.0 ppid: 2689, pid: 2713, t: 1.0667s scanners:none
Received: from unknown (HELO nil) (amJlaWNoQHZmZW1haWwubmV0@172.16.100.27)
 by mail.vfemail.net with ESMTPA; 8 May 2016 10:39:24 -0000
From: Jan Beich <jbeich@vfemail.net>
To: Thomas Zander <riggs@freebsd.org>
Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org,
 "ports-committers\@FreeBSD.org" <ports-committers@freebsd.org>
Subject: Re: svn commit: r414781 - head/multimedia/ffmpeg
References: <201605071810.u47IAEGx095469@repo.freebsd.org>
 <h9e9-bqso-wny@vfemail.net>
 <CAFU734x33gCbYXKOv1a0ypb8yZDCV12BWduD9=OkYS+V_dR_XA@mail.gmail.com>
Date: Sun, 08 May 2016 12:39:10 +0200
In-Reply-To: <CAFU734x33gCbYXKOv1a0ypb8yZDCV12BWduD9=OkYS+V_dR_XA@mail.gmail.com>
 (Thomas Zander's message of "Sun, 8 May 2016 09:44:39 +0200")
Message-ID: <mvo0-3kc1-wny@vfemail.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2016 17:23:20 -0000

--=-=-=
Content-Type: text/plain

Thomas Zander <riggs@freebsd.org> writes:

> On 7 May 2016 at 21:40, Jan Beich <jbeich@vfemail.net> wrote:
>> Can you MFH all patch-level updates by default? Those contain stability
>> and security fixes much desired on quaterly branches.
>
> I'd be happy to do that, I was just not aware of this policy.

I'm not sure if there's such a policy but 2.8.7 is covered by "runtime fixes"
intent when quaterly branches were first announced. When requesting MFH
just state if there's ABI or POLA impact and link to the changelog.

> For ffmpeg, I routinely double-check
> https://www.ffmpeg.org/security.html and noticed that 2.8.7 does not
> fix any known vulnerability.

The page sometimes lags behind fixes for months. Here's a list from 2.8.7
that may (or may not) end up there. Firefox stake can be easily noticed.

https://git.videolan.org/?p=ffmpeg.git;a=commit;h=2a158602273f
https://trac.ffmpeg.org/ticket/5412

https://git.videolan.org/?p=ffmpeg.git;a=commit;h=ef54c144250a
https://trac.ffmpeg.org/ticket/5371

https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5127cb2e78c0
https://hg.mozilla.org/releases/mozilla-beta/rev/e69afe7adf97
https://bugzilla.mozilla.org/show_bug.cgi?id=1266129 (Access Denied ;)

https://git.videolan.org/?p=ffmpeg.git;a=commit;h=1e9aa7907ed4
https://trac.ffmpeg.org/ticket/5259

https://git.videolan.org/?p=ffmpeg.git;a=commit;h=536f6c4ec2f8
https://trac.ffmpeg.org/ticket/4899

> Since no build or runtime errors were reported in bugzilla for 2.8.6,
> it seemed to me that the quarterly branch does not have a problem that
> needs fixing.

ffmpeg runtime issues tend to be OS-agnostic. As such users are
discouraged to report them on downstream bugtrackers like our bugzilla.

> Is patch-level updating covered by a blanket?

No. I think, only extreme cases (e.g., startup crash) are covered by
stability blanket where the commit doesn't carry other "baggage"
that often comes with updates.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQF8BAEBCgBmBQJXLxdOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREQjQ0MzY3NEM3RDIzNTc4NkUxNDkyQ0VF
NEM3Nzg4MzQ3OURCRERCAAoJEOTHeINHnb3bVzYIAIMcFCxJ19YtsmW+AVvdk/Hd
ryC1i8tQr3pVWqdNLDmWydCed/VMX7vuzTEkmrKeO9bzUuNbFlATacE0Bz+eAQ7R
ZmFTvs9+SrOzFaUQVgzuOuAFgahRQT48Fb0cI24F5gn/75pFtknqc7Bw/W/FSrLb
Q6weNeLdZbrA5/pMWSvvkS86hNpO2u/SYPMcH0epq45vZmPocLLYPqsLo/TA31w6
Tx6OlqFp26IoaC7TBZEjXgiN7Y1NvhO6fgBiBesASB5UrZWXtA60IUKAxe9/8iqO
udcMSHmEoc+ugvqb2hT1LN/aVeE4rxjaE0iWu0nnLnXGrntYmVs/DSwn1OeCLo4=
=A4sQ
-----END PGP SIGNATURE-----
--=-=-=--