ffmpeg security definitions have changed from security to esm-apps pocket

Asked by Kaio Barbosa

Hi there,

I am trying to get an update for ffmpeg, and it seems it can only possible by using ESM/Pro subscription. I am running Jammy.

My question for you is why this has changed? In the past the definitions were under security pocket (Ubuntu Security definitions)

Example: https://ubuntu.com/security/notices/USN-5472-1

```
  "ffmpeg": {
    "pocket": "security",
    "version": "7:4.4.2-0ubuntu0.22.04.1"
  },
```

but now the updates are under esm-apps, example: https://ubuntu.com/security/notices/USN-6983-1

```
  "ffmpeg": {
    "pocket": "esm-apps",
    "version": "7:4.4.2-0ubuntu0.22.04.1+esm5"
  },
```

I see ffmpeg was added to esm-apps in 2023, according to the logs https://git.launchpad.net/ubuntu-cve-tracker/log/esm-apps-jammy-supported.txt, but it is not clear why.

Can I please understand that change rationale?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu ffmpeg Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said :
#1

ESM enables `continuous' vulnerability management for critical, high and medium CVEs.
Canonical decided to give continuous management which only ESM would be able to provide.
 Have you tried the ffmpeg snap? https://snapcraft.io/store?q=ffmpeg
ffmpeg-2204 [ffmpeg content snap for core22] Last updated / 31 July 2024 - latest/stable

Revision history for this message
Kaio Barbosa (kaiux) said :
#2

Thank you for your reply, and sorry to insist on this, but respectfully I trust this does not answer 100% my initial inquiry.

I can provide more context. If ffmpeg was included under esm-apps due to vulnerability criticality and fix cadence, I am totally okay with that. However, same analogy should apply to more packages. For example, vim (not on that list) should follow a similar security mentality. I use vim as example because it had more vulnerabilities in past years than ffmpeg.

Maybe there is a public documentation you could point me to regarding why ffmpeg, or more generally, what criteria make a package get handled as esm-apps?

Thank you.

Revision history for this message
Bernard Stafford (bernard010) said (last edit ):
#3

Security patching
(Coverage for critical, high and selected medium CVEs)
Over 2,300 packages in Ubuntu Main repository
Over 23,000 packages in Ubuntu Universe repository
https://ubuntu.com/security/esm

Expanded security
Canonical offers Expanded Security Maintenance (ESM) for infrastructure and applications to provide kernel live-patches and vulnerability fixes through a secure and private archive.
https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/v31.2/howtoguides/enable_esm_infra/
https://discourse.ubuntu.com/c/ubuntu-pro/116

Can you help with this problem?

Provide an answer of your own, or ask Kaio Barbosa for more information if necessary.

To post a message you must log in.