Opened 5 months ago
Closed 3 months ago
#18984 closed enhancement (fixed)
Archive libtheora?
| Reported by: | Xi Ruoyao | Owned by: | blfs-book |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Inspired by https://www.phoronix.com/news/Google-Chrome-Dropping-Theora.
In BLFS the only recommended dependencies of libtheora are from ffmpeg and gst-plugins-base, but IMO they should really be "optional" is lacking libtheora will do no harm unless you need to encode or decode theora videos. And is there any real use of theora in 2023?
Change History (5)
comment:1 by , 5 months ago
| Summary: | Archive libtheroa? → Archive libtheora? |
|---|
comment:2 by , 5 months ago
follow-up: 4 comment:3 by , 5 months ago
I'm kind of torn on this particular archival. I do see Google's point here about the fact that its decreasing the attack surface of things like web browsers. Most of the recent vulnerabilities that have been exploitable (and actively exploited, at that) have been in the multimedia support within browsers.
On the other hand, we still carry libquicktime at the moment, so it may be easier to just leave this one alone. As far as I can tell, libquicktime isn't used by any browsers in the book, and libtheora isn't either at this time, so the only attack vector from a security perspective would be somebody opening a compromised file. Still a big deal, but a lot different than the web browser route which would've been the most common attack vector. Another attack vector which could've been a concern here would be something like Baloo or tracker-miners picking up on the file when indexing, but neither of those appear to link to libtheora (or look for them either).
It's worth nothing that most of the other Xiph.org packages have gone relatively unmaintained as well. libogg was last updated in 2021, but libvorbis was last updated in 2020.
libtheora's new upstream git repository is at https://github.com/xiph/theora. There's some commits dating back to 2020 in there, and there are a couple of requests for a new release. That being said though, I'm not sure if we'll see one.
comment:4 by , 4 months ago
Replying to Douglas R. Reno:
On the other hand, we still carry libquicktime at the moment, so it may be easier to just leave this one alone. As far as I can tell, libquicktime isn't used by any browsers in the book, and libtheora isn't either at this time
IIUC if gst-plugins-good is built with libtheora, webkitgtk may try to play theora videos with it.
comment:5 by , 3 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Archived at commit 01b8994deebf4b496ba5b486bde952c5777a957e.
Looking upstream. the latest libthora was released in 2010.
In addition to ffmpeg and gst10-plugins-base the following have libtheora as optional: vlc, mplayer, transcode, and xine-lib.
If ffmpeg and gst10-plugins-base build with current instructions and without libtheora, I have no problem demoting it to optional in those packages. At that point we can remove it from the book and convert those internal xrefs into external ulinks and archive libtheora.
That said, the easiest thing is to just leave it as is. libtheora is only a 0.2 SBU build at -j1.