Saturday, September 16, 2017

Re: NEW: audio/rgain, to replace vulnerable mp3gain

On Thu, Sep 14 2017, Stuart Henderson <stu@spacehopper.org> wrote:
> http://www.openwall.com/lists/oss-security/2017/09/14/9
>
> : "It probably also suffers from most other historical vulnerabilities
> : that are listed for mpg123. We removed it from Debian in 2014,
> : with a recommendation to use the rgain Python package instead:
> : https://tracker.debian.org/pkg/rgain
> :
> : rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't
> : exactly bug-free either; but those libraries are actively maintained,
> : and when they have vulnerabilities, they'd need to be fixed anyway for
> : the benefit of other packages."
>
> Here's a port of rgain. OK to import? OK to kill mp3gain?

I have proposed tweaks for rgain:
- run tests against the currently built module, I find this less
error-prone (no need to make reinstall/update)
- s/py-gobject/py-gobject3/, missing dep visible when importing
the rgain.rgcalc module
- skip one test that seems to hang, no idea of the root cause

No comments:

Post a Comment