Ubuntu
chromium-browser package

[FFe] chromium-codecs-ffmpeg for lucid

Bug #537617 reported by Fabien Tassin
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: chromium-browser

the chromium-browser package has been in Lucid for a while now. In order for it to support the HTML5 audio and video tags, a codec package is needed.

Those codecs are part of the upstream (giant) source tree. They are from Alexander Strange's ffmpeg-mt (multi-threaded) branch. Chromium devs added some patches and rewrote the build system (configure) to use their own gyp (already in lucid). Depending on the branding set at build time, the codecs could come in two flavors:

a/ when built with ffmpeg_branding=Chromium, only ogg, vorbis and theora are produced
b/ when built with ffmpeg_branding=Chrome, we obtain ogg/vorbis/theora + aac/ac3/mpeg4audio/h264/mov/mp3

(in both cases, a single libffmpegsumo.so is produced)

the choice a/ is similar to what Mozilla does for Firefox but b/ is needed for major sites like Youtube and Vimeo.
There's a heated debate, especially regarding the use of H.264.

In order to give users the choice, i've created the chromium-codecs-ffmpeg (src) package (splitted away from the browser) to produce the two flavors of codecs, respectively chromium-codecs-ffmpeg and chromium-codecs-ffmpeg-nonfree.

At the moment, the browser "Recommends: chromium-codecs-ffmpeg | chromium-codecs-ffmpeg-nonfree".
Once the codecs are in, i will revert it back to "Depends".

The current packaging is available at:
http://bazaar.launchpad.net/~chromium-team/chromium-browser/chromium-codecs-ffmpeg.head/files/head:/debian/

Before I upload to lucid and wait in NEW, i wouldn't mind a feedback.

Revision history for this message
StefanPotyra (sistpoty) wrote :

I very much dislike the idea to get a copy of ffmpeg in. At the very least, I'd like to hear an explicit ok from the security team.

Revision history for this message
Fabien Tassin (fta) wrote :

If we don't ship it, tech users will grab it from one of the PPAs, and worse, the vast majority of ubuntu users will just stop using Chromium the first time they hit a <video> and move to the upstream Google Chrome deb which ships the whole thing by default.

BTW, it's not a copy of ffmpeg per say, our system ffmpeg is not multi-threaded.
And Google is taking care of the security of that thing, along with upstream, hence the stack of patches in the tarball.

Revision history for this message
Alexander Sack (asac) wrote :

> I very much dislike the idea to get a copy of ffmpeg in. At the very least, I'd like to hear an explicit ok from the security team.

The security concern feels more like a MIR topic than a motu-release one. The risk for getting release critical bugs is definitly low as we are using this package for ages.

Revision history for this message
StefanPotyra (sistpoty) wrote :

security is a concern for universe as well, and is my main concern.

I've talked to Reinhard (ffmpeg upstream) now, and he told me that security is well maintained for Google's branch.
Also I've been told that the -mt branch will get merged to ffmpeg main at some point, but most probably not for 0.6.

That said, I'm ok to grant the FFe, given that you can convince an archive admin to new the package.

(side note: Reinhard suggested to rename the -nonfree package, since it doesn't contain non-free software. Maybe you could follow suite with the ffmpeg package and name it -extra?).

Revision history for this message
Fabien Tassin (fta) wrote :

i meant it as "non-royalty-free" / "non-patent-free", so users know what they may face.
I can use "restricted", but i don't like "extra" as it has a positive aspect.

Revision history for this message
Reinhard Tartler (siretart) wrote :

Of course it has an "positive" aspect because after all, it does offer extra functionality. Our users are not going to be charged for using it. The "risk" is on the distributors side. I strongly oppose package names that indicate ffmpeg would produce non-free or crippled code.

As for security concerns, since google does a good job with mainting their 'fork' security wise, I think we can rely on upstream to provide good security support. Most of the recent security patches came from google anyway, so there is a good chance that chrome's ffmpeg copy gets future security patches earlier than upstream ffmpeg again. For this reason, this embedded copy needs to be considered seperate from the system ffmpeg anyway.

To me, this is more a decision if we want chrome at all, as the ffmpeg part is not the biggest security concern here.

Revision history for this message
Fabien Tassin (fta) wrote :

renamed "-extra" but i need to keep a transitional package for the tens of thousands of users who already got it through the PPAs.

Revision history for this message
Reinhard Tartler (siretart) wrote : Re: [Bug 537617] Re: [FFe] chromium-codecs-ffmpeg for lucid

thank you very much for this!

StefanPotyra (sistpoty)
Changed in chromium-browser (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.