Why Debian returned to FFmpeg
Slightly less than one year ago, the Debian community had an extended discussion on whether the FFmpeg multimedia library should return to the distribution. Debian had followed the contentious libav fork when it happened in 2011, but some community members were starting to have second thoughts about that move. At the time, the discussion died out without any changes being made, but the seeds had evidently been planted; on July 8, the project's multimedia developers announced that not only was FFmpeg returning to Debian, but it would be replacing libav.
Chances are that many Debian (and Ubuntu) users are not more than peripherally aware of which multimedia library is running on their system. Libav has been in use for some years and has generally filled the bill, so it is natural to wonder what drove the project to make a change that will require a lot of work and which seems certain to prove disruptive while it is underway. Getting to the answers is an interesting study in how distributions try to ensure that the code they ship comes from healthy upstream projects.
Security and more
The Debian project is not normally known for being afraid to ship multiple packages providing the same function, so one might wonder why it can't just ship both FFmpeg and libav, letting users decide which one they want to use. The big sticking point in 2014 was security support. Both projects have had more than their share of security issues, and the Debian security team didn't think it could keep up with patching both of them. At that time, FFmpeg seemed to have a better record of responding to vulnerabilities than libav, but that still was not enough to convince the security team to support both libraries.
One year later, security issues remained at the top of the list, but it would appear that FFmpeg has pulled well ahead of libav in this regard. Debian security team member Moritz Muehlenhoff made it clear that he saw FFmpeg as being more responsive to security reports. A rather stronger argument came from Mateusz “j00ru” Jurczyk who, in his security-oriented role at Google, has been doing extensive fuzz testing of both projects and reporting the problems that come up:
The notion of hundreds of open security issues is generally unappealing. FFmpeg does not appear to lead on just security updates, though; by all accounts, it now supports a far wider variety of codecs and containers than libav does. There is an increasing range of formats that FFmpeg can play, but libav cannot. As the feature gap grows, the project's desire to stay with libav wanes.
The libav maintainer's perspective
When Alessio Treglia restarted the discussion at the end of April, the above points were quickly expressed. Even so, the conversation did not appear to be heading toward any sort of consensus. Arguably, the turning point was when Debian libav maintainer Reinhard Tartler entered the discussion. Reinhard argued forcefully for the advantages he saw in libav, but, in the end, could not bring himself to say that he was sure libav was the better choice.
With regard to security issues, Reinhard attributed the difference in fix rates to a difference in how the two projects approach development ("Michael" is Michael Niedermayer, the lead developer of FFmpeg):
Reinhard initially asserted that, even so, libav had parity with FFmpeg when it came to fixing security-related bugs, but he later backed down on that.
In Reinhard's view, the two projects are managed differently, with
different goals;
that difference makes libav appealing in a number of
ways. Libav, he said, is trying to improve the state of the code and come
up with something better than the "horrible
" APIs it inherited
from FFmpeg. He summarized the differences between the project this way:
Even through he seems to like the libav approach more, Reinhard, in the end, was
not able to argue against the change; his position came down to:
"I still have some concerns with this move, but I can't claim Libav
to be superior to FFmpeg at this point
". With the project's libav maintainer
taking that position (and also, importantly, saying that he no longer has
the time to maintain libav at the same level as he has in the past), the decision
seemed to settle out fairly quickly.
Other concerns
A desire that was expressed more than once in this discussion was that the two projects would stop fighting and join back into a single, well-supported effort. There is, however, no real indication that any such reconciliation is in the cards. There is another way that the community could go back to having a single project, though: if one of them were to simply fail. Dmitry Smirnov suggested that a switch to FFmpeg by Debian could maybe bring that about:
Opinions vary on how much "life support" Debian actually provides to libav, but the loss of Debian and Ubuntu seems certain not to do the project any good. There aren't a lot of distributions out there that carry libav anymore; without Debian, that list will be short indeed. It might just be that libav is not sustainable without Debian.
That said, there are some concerns about the sustainability of FFmpeg as
well. By all accounts, Michael is a highly productive developer; he
accounts for, by far, the largest share of the patches going into FFmpeg.
Reinhard asked whether FFmpeg is a one-developer project that would find
itself in trouble should Michael stop working on it. "To me, this
constitutes a serious bus-factor: Without Michael, (probably) nobody is
able to replace him.
" He went on to suggest, though, that Michael's
departure could do a lot to bring an end to the fork.
As an argument against the "one-man show" concern, Andreas Cadhalpun posted some commit statistics for both projects, covering the period since September 2014:
libav FFmpeg Commits Developer Commits Developer 294 Vittorio Giovara 1831 Michael Niedermayer 253 Martin Storsjö 294 Vittorio Giovara 206 Anton Khirnov 252 Martin Storsjö 131 Luca Barbato 197 Anton Khirnov 72 Diego Biurrun 179 Clément Bœsch 46 Michael Niedermayer 155 James Almer 32 Rémi Denis-Courmont 150 Carl Eugen Hoyos 21 Andreas Cadhalpun 114 Andreas Cadhalpun 17 Hendrik Leppkes 113 Luca Barbato 16 Gabriel Dume 98 Lukasz Marek 16 Himangi Saraogi 93 Paul B Mahol 16 wm4 85 Ronald S. Bultje 14 Federico Tomassetti 83 wm4 12 Peter Meerwald 66 Christophe Gisquet 11 Janne Grunau 48 Benoit Fouet
At a first glance, the table shows that (1) FFmpeg appears to have a much higher commit traffic than libav, and (2) Michael, while being the largest contributor, is certainly not the only contributor. But, as Reinhard pointed out, there is a bit more to this story. Changes to libav are routinely merged into FFmpeg, but the flow of patches in the other direction is quite low. If the libav changes are subtracted out of the FFmpeg numbers, the result is that Michael very much stands alone; no other developer is even close.
The Debian multimedia developers decided to make the switch to FFmpeg even though nobody really had an answer to Reinhard's concern. For now, FFmpeg appears to be going strong, but there is a single-developer risk there that could come to the fore in the future. Given that nearly the entire distribution ecosystem now depends on FFmpeg, chances are that a way would be found to keep the project going if Michael were to decide he had better things to do. But the process of getting there might prove to be a little rough.
The Debian project was faced with a difficult choice: given
that it was not possible to support both libraries in the distribution,
which one offers the most to Debian's users while presenting the least
long-term sustainability and security risk? The developers involved chose
to move away
from a project that many of them see as lacking the resources needed to be
truly healthy. That choice will result in a lot of work, but, assuming the
choice was the correct one, Debian users should benefit in the long term.
Posted Jul 13, 2015 21:03 UTC (Mon)
by gioele (subscriber, #61675)
[Link] (4 responses)
> I think the debate on the development methodology is the biggest
Question for the people familiar with FFmpeg: what is the argument against adopting, in addition to the existing API, these new, better designed APIs?
I read that the FFmpeg maintainer is keen on maintaining the old API around for compatibility reasons. At the same time it seems that every media project is bundling a local copy of FFmpeg because of fundamental incompatibilities even between minor releases. How can both stances be valid at the same time?
Posted Jul 13, 2015 21:49 UTC (Mon)
by josh (subscriber, #17465)
[Link]
Posted Jul 14, 2015 5:46 UTC (Tue)
by rsidd (subscriber, #2582)
[Link]
Posted Jul 14, 2015 17:30 UTC (Tue)
by flussence (guest, #85566)
[Link]
FFmpeg has supported both for a number of years, so the argument is moot.
Posted Jul 23, 2015 18:23 UTC (Thu)
by riking (guest, #95706)
[Link]
In my experience, this has been done because it needed something implemented one way in ffmpeg but implemented a different way in avconv.
Posted Jul 13, 2015 22:37 UTC (Mon)
by atai (subscriber, #10977)
[Link] (12 responses)
Posted Jul 14, 2015 21:20 UTC (Tue)
by xtifr (guest, #143)
[Link] (2 responses)
So winning in the presence of a hostile fork basically involves not sucking *too* much more than the fork. You don't even have to be better (assuming you had some success before the fork). You just have to be tolerable, and people will likely stick with what they know. So it's not really *that* impressive a feat.
(If you're going to do it, though, winning over major distros based on technical merit, as FFmpeg seems to have done in this case, is definitely one of the best ways to do it.) :)
Posted Jul 15, 2015 9:33 UTC (Wed)
by anselm (subscriber, #2796)
[Link]
The best example of that is probably OpenOffice vs. LibreOffice. LibreOffice is arguably the better program, but especially on Windows, people will still install OpenOffice because that is the name they know. (On Linux, LibreOffice seems to be more popular because most people get it from their distributions, which for the most part jumped ship from OpenOffice to LibreOffice even before OpenOffice became an Apache project.)
Posted Jul 23, 2015 13:39 UTC (Thu)
by jond (subscriber, #37669)
[Link]
This is a good point.
Before I knew anything else about the situation, I was often surprised to find the following banner printed when I ran the ffmpeg binary on a Debian system:
> *** THIS PROGRAM IS DEPRECATED ***
This was puzzling, and misleading because ffmpeg was not deprecated, per se; but the libav implementation of the ffmpeg binary was planned to be removed. This was aa watered down version of an earlier warning:
> This program is not developed anymore and is only
Which IMHO was even more misleading.
Posted Jul 21, 2015 8:14 UTC (Tue)
by KotH (guest, #4660)
[Link] (8 responses)
1) Merge everything they make.
2) Continous smear campaign.
And for those who claim that ffmpeg is better/more secure/whatever, why then does VLC stick to libav, if ffmpeg is so much better?
Posted Jul 21, 2015 14:50 UTC (Tue)
by raven667 (subscriber, #5198)
[Link]
The "merge everything they make" activity could flow both ways, both projects have the opportunity to merge each others changes, if the policy of merging most of the libav changes into ffmpeg has made ffmpeg a stronger software then it's libav policy against merging ffmpeg changes which has made them the weaker project.
As far as any negative criticism of libav being due to some Internet-wide smear campaign, wow, that justification is basically never right, the universe does not revolve around the petty differences of a couple of folks, I can't imagine that most people who ship either library really cares about the split, they just want something that works, so the idea that a "smear campaign" could gain any traction is laughable. Ha ha ha. This is especially true for Google which is spending their time and money to fuzz test this software, which is an incredible gift, and has real metrics to back their statements, not whispers.
Posted Jul 21, 2015 20:35 UTC (Tue)
by flussence (guest, #85566)
[Link] (4 responses)
Do you have any citations to back that up? Because I've seen libav doing an order of magnitude more smearing, up to and including sending fraudulent legal threats over the logo, claiming ffmpeg "steals" code, distributing a fake ffmpeg scareware binary, posts like yours, and so on.
Regarding security, libav makes regular appearances on the security updates page on this site - often for ffmpeg CVEs dated 3-4 years ago. The opposite has never occurred.
Posted Jul 29, 2015 13:54 UTC (Wed)
by lu_zero (guest, #72556)
[Link] (3 responses)
Nobody in Libav ever discussed FFmpeg beside me on here
https://blogs.gentoo.org/lu_zero/2015/02/20/demotivation-...
Let alone "smear".
On the other side, at least few of the the new people contributing to Libav got quite interesting emails from Michael Niedermayer and Carl Eugen Hoyos. (I can say few since they did ask me what the hell was it about, I have no way to know if ALL the new contributors got this kind of interesting service).
Posted Jul 30, 2015 18:02 UTC (Thu)
by flussence (guest, #85566)
[Link] (2 responses)
FFmpeg has been professionally silent on public forums. Your side would do well to learn from their example.
Posted Jul 31, 2015 20:46 UTC (Fri)
by lu_zero (guest, #72556)
[Link] (1 responses)
http://article.gmane.org/gmane.comp.video.ffmpeg.devel/17... silent.
Posted Aug 1, 2015 17:56 UTC (Sat)
by flussence (guest, #85566)
[Link]
The point is I don't have to.
Posted Jul 31, 2015 16:15 UTC (Fri)
by gabucino (guest, #72504)
[Link]
Posted Oct 19, 2015 12:59 UTC (Mon)
by turbulens (guest, #104984)
[Link]
Posted Jul 14, 2015 1:26 UTC (Tue)
by xtifr (guest, #143)
[Link] (1 responses)
(Just an observation based on the data presented in this article. Obviously, not all commits are created equal, and I have no idea what quality of patch any of the folks involved in either project have to offer.)
Posted Jul 23, 2015 11:41 UTC (Thu)
by moltonel (guest, #45207)
[Link]
Posted Jul 14, 2015 6:57 UTC (Tue)
by jezuch (subscriber, #52988)
[Link] (1 responses)
Posted Jul 14, 2015 16:17 UTC (Tue)
by josh (subscriber, #17465)
[Link]
Posted Jul 14, 2015 17:46 UTC (Tue)
by flussence (guest, #85566)
[Link] (4 responses)
It's been stated elsewhere that Libav takes just as much code from FFmpeg too - but they launder it through total rewrites so as to not give credit to the original authors and inflate their own numbers. This is consistent with the borderline-sociopathic mud-slinging they seem to do at every chance they get.
Posted Jul 15, 2015 8:37 UTC (Wed)
by dgm (subscriber, #49227)
[Link] (1 responses)
Posted Jul 15, 2015 22:17 UTC (Wed)
by isilmendil (subscriber, #80522)
[Link]
Posted Jul 29, 2015 14:56 UTC (Wed)
by lu_zero (guest, #72556)
[Link] (1 responses)
Every commit in Libav goes under review in the mailing list. At least for the patches that are not single-line fixes, it could take about 24 hours or more before a submission hits the tree.
On the other hand the Libav code gets "merged" in FFmpeg daily w/out any kind of review. The huge amount commits reported on the Michael side probably is inflated by the merge commits.
Posted Jul 30, 2015 18:05 UTC (Thu)
by flussence (guest, #85566)
[Link]
Posted Jul 25, 2015 19:19 UTC (Sat)
by Vesiukko (guest, #103742)
[Link]
Posted Jul 31, 2015 16:29 UTC (Fri)
by moltonel (guest, #45207)
[Link]
Thanks to Michael for the work done so far, and for this very mature and diplomatic move. I certainly hope that this'll have the desired effect of reuninting the libav and ffmpeg communities.
Why Debian returned to FFmpeg
> disagreement between the two projects: FFmpeg insists on keeping its
> development velocity and allowing developers to "get work done",
> compromising on maintainability and common understanding of the code base
> in favor of more features. Libav on the other hand rather focuses on clean
> implementation and let's say better designed APIs. This requires more work,
> which in effect significantly lowers the development velocity.
Why Debian returned to FFmpeg
I'm not familiar, but this person is and claims that the libav people "rewrite everything." I.e., not just crufty old stuff, but new features in ffmpeg (he gives several examples) that they could just have lifted, but chose to reimplement in an incompatible manner because they don't like it. (The article is from three years ago.)
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
So winning in the presence of a hostile fork basically involves not sucking *too* much more than the fork. You don't even have to be better (assuming you had some success before the fork). You just have to be tolerable, and people will likely stick with what they know. So it's not really *that* impressive a feat.
Why Debian returned to FFmpeg
> This program is only provided for compatibility and will be removed in a future release. Please use avconv instead.
> provided for compatibility. Use avconv instead
Why Debian returned to FFmpeg
Yes. ffmpeg merges every and each commit to libav (with a dozen or so notable exceptions in the last 4 years). Which makes ffmpeg actually downstream of libav. This can also be seen in the commit numbers, the top 4 "contributors" to ffmpeg are, beside Michael, people who work on libav and left ffmpeg because of Michael. The huge number of commits Michael has, is largely inflated by the daily merges of libav code he makes, and the many little fixes those merges need.
Even though ffmpeg largely depends on libav for development, ffmpeg has been always badmouthing libav in all kinds of ways. From "they don't fix security issues" to plain old "their code is shit". This has been discussed as the videolan developer days a few times, but were never actually addressed by the ffmpeg developers responsible.
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Why Debian returned to FFmpeg
Main ffmpeg developer now resigned, hoping to reunite the communities