Created attachment 451638 [details, diff] system-libvpx use flag for chromium 55.0.2883.21 ebuild The use of the system libvpx needs to be optional as other packages (e.g. mythtv, see bugs 597202 and 591006) depend on older libvpx versions. Thus chromium cannot be updated which is actually a security issue. The attached patch adds a system-libvpx use flag to the chromium 55.0.2883.21 ebuild which defaults to true.
Isn't it true that ffmpeg already includes a VP9 decoder, that is even better than libvpx? In this case, could we have chromium just use that?
Just checking: does this really help? With https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dabd9842b5f0cecb28601ff0e2ba793afbde85e5 mythtv depends on <media-libs/libvpx-1.5.0:= . However, chromium needs at least 1.5.0 because of svc USE flag. I'm not sure if allowing bundled libvpx buys us anything. Could you explain more?
Well, it does help. Typically chromium is the first package to require a higher libvpx version. Now, if any other installed package requires a lesser libvpx version chromium updates are blocked. Unfortunately chromium updates usually contain security fixes. Thus one is forced to manually patch the chromium ebuild to allow the use of the bundled libvpx to be able to use the chromium update. In short, without enabling the optional use of the bundled libvpx one may have to stick with a vulnerable chromium version due to other packages that can't be replaced. Chromium anyway wouldn't be the first package with a "system-libvpx" use. There are already: mail-client/thunderbird www-client/firefox www-client/seamonkey and as an external repo: www-client/torbrowser Packages besides chromium that depend on libvpx are: dev-lang/php dev-qt/qtwebengine mail-client/thunderbird media-libs/avidemux-plugins media-libs/xine-lib media-plugins/mythplugins media-tv/mythtv media-video/ffmpeg media-video/handbrake media-video/vlc www-client/firefox www-client/seamonkey and as an external repo: www-client/torbrowser Now, if any of these except for firefox, seamonkey, thunderbird and torbrowser need a libvpx that isn't compatible to a new chromium version one will have a security problem.
Ah, makes sense. Actually my reasoning seems to support adding the USE flag, as there's an obvious slot conflict. I landed https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=0a85ce77f844148c527fc81a1e661567d75dd238 to add the USE flag.
Stable is at M58 now, closing.