Open
Description
Priority
P2-High
OS type
N/A
Hardware type
N/A
Installation method
- N/A
Deploy method
- N/A
Running nodes
N/A
What's the version?
Latest Git HEAD.
Description
Like in opea-project/GenAIComps#1494, old, static git snapshot FFmpeg version used, this time with gradio.
Issues:
- Downloading binary from "random" personal site, instead of using "apt get" for a signed distro version
- Using FFmpeg Git snapshot build, which according tarball readme, is some git commit from June 2024, instead of better tested / validated (distro) FFmpeg release version
- Using static (GPL3) version, instead of dynamically linked version where distro takes care of security fixes for the dependencies
- OPEA security tooling cannot warn when that FFmpeg or its deps would need updates due to known CVEs, unlike it could for distro package
- Downloaded tarball missing required license / copyright information for the statically linked dependencies (which distro would take care of)
Fix is trivial, see: https://github.com/opea-project/GenAIComps/pull/1802/files
Reproduce steps
- See:
- Check the downloaded FFmpeg tarball contents
Notes
Another fix that could be done at the same time, is dropping the redundant OpenGL X server bindings package libgl1-mesa-glx (and its X server library deps) from the images.