598264 – www-client/chromium >= 54 make use of system libvpx optional

Bug 598264 - www-client/chromium >= 54 make use of system libvpx optional

Summary: www-client/chromium >= 54 make use of system libvpx optional

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Chromium Project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-27 14:36 UTC by Andreas Steinmetz
Modified:	2017-04-30 11:41 UTC (History)
CC List:	1 user (show)

See Also:	597202
Package list:
Runtime testing required:	---

Attachments
system-libvpx use flag for chromium 55.0.2883.21 ebuild (chromium-ebuild.patch,1.87 KB, patch) 2016-10-27 14:36 UTC, Andreas Steinmetz	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Steinmetz 2016-10-27 14:36:59 UTC

Created attachment 451638 [details, diff]
system-libvpx use flag for chromium 55.0.2883.21 ebuild

The use of the system libvpx needs to be optional as other packages (e.g. mythtv, see bugs 597202 and 591006) depend on older libvpx versions. Thus chromium cannot be updated which is actually a security issue.
The attached patch adds a system-libvpx use flag to the chromium 55.0.2883.21 ebuild which defaults to true.

Comment 1 Rok Kralj 2016-11-01 01:51:50 UTC

Isn't it true that ffmpeg already includes a VP9 decoder, that is even better than libvpx? In this case, could we have chromium just use that?

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2017-01-02 18:22:54 UTC

Just checking: does this really help?

With https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dabd9842b5f0cecb28601ff0e2ba793afbde85e5 mythtv depends on <media-libs/libvpx-1.5.0:= .

However, chromium needs at least 1.5.0 because of svc USE flag.

I'm not sure if allowing bundled libvpx buys us anything. Could you explain more?

Comment 3 Andreas Steinmetz 2017-01-06 20:52:41 UTC

Well, it does help.

Typically chromium is the first package to require a higher libvpx version. Now, if any other installed package requires a lesser libvpx version chromium updates are blocked.

Unfortunately chromium updates usually contain security fixes. Thus one is forced to manually patch the chromium ebuild to allow the use of the bundled libvpx to be able to use the chromium update.

In short, without enabling the optional use of the bundled libvpx one may have to stick with a vulnerable chromium version due to other packages that can't be replaced.

Chromium anyway wouldn't be the first package with a "system-libvpx" use. There are already:

mail-client/thunderbird
www-client/firefox
www-client/seamonkey

and as an external repo:

www-client/torbrowser

Packages besides chromium that depend on libvpx are:

dev-lang/php
dev-qt/qtwebengine
mail-client/thunderbird
media-libs/avidemux-plugins
media-libs/xine-lib
media-plugins/mythplugins
media-tv/mythtv
media-video/ffmpeg
media-video/handbrake
media-video/vlc
www-client/firefox
www-client/seamonkey

and as an external repo:

www-client/torbrowser

Now, if any of these except for firefox, seamonkey, thunderbird and torbrowser need a libvpx that isn't compatible to a new chromium version one will have a security problem.

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2017-01-23 17:22:46 UTC

Ah, makes sense. Actually my reasoning seems to support adding the USE flag, as there's an obvious slot conflict.

I landed https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=0a85ce77f844148c527fc81a1e661567d75dd238 to add the USE flag.

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2017-04-30 11:41:15 UTC

Stable is at M58 now, closing.