migrate away from ffmpeg_3

[dotlambda]

ffmpeg_3 has many open vulnerabilities (see #94003 and #120372). There seems to be no effort to add patches for these, so we should drop ffmpeg_3 or at least mark it as insecure.
In #89264, ffmpeg_3 was made the de facto default by making every package that depends on ffmpeg depend on ffmpeg_3 instead. I think that was a bad idea given that the Ffmpeg packages aren't well maintained.
Most packages should build just fine with ffmpeg but someone needs to test them.

Is there an easy way to obtain a list of packages using ffmpeg_3 and ping their maintainers?

cc @doronbehar @codyopel

Here's a list of affected packages:

• aegisub (ffmpeg_3 -> ffmpeg patches #120802)
• airtame (airtame: remove #155539)
• ardour (ardour: 6.5 -> 6.7 #123930)
• attract-mode (attract-mode: ffmpeg_3 -> ffmpeg #126354)
• avxsynth (avxsynth: drop #123478)
• baresip (baresip: use ffmpeg instead of ffmpeg_3 #123480)
• bitwig-studio1 (bitwig-studio: Move away from from ffmpeg_3 #121283)
• bitwig-studio3 (bitwig-studio: Move away from from ffmpeg_3 #121283)
• bombono (bombono: update ffmpeg, fix iso generation #121289)
• capture (capture: use ffmpeg instead of ffmpeg_3 #123491)
• cfdg (cfdg: use ffmpeg instead of ffmpeg_3 #123340)
• clipgrab (clipgrab: use ffmpeg4 #122751)
• deadbeef (deadbeef: ffmpeg_3 -> ffmpeg #123460)
• devede (devede: ffmpeg_3 -> ffmpeg #123465)
• dr14_tmeter (dr14_tmeter: use ffmpeg 4 #125241)
• dvd-slideshow (dvd-slideshow: use ffmpeg instead of ffmpeg_3 #123489)
• ffms (ffms: 2.23 -> 2.40 #120846)
• gnomecast (gnomecast: switch from ffmpeg_3 to ffmpeg #122626)
• goldendict (goldendict: use ffmpeg instead of ffmpeg_3 #123527)
• gopro (gopro: use ffmpeg instead of ffmpeg_3 #123795)
• grass (@mpickering)
• haskellPackages.cut-the-crap (haskellPackages.cut-the-crap: use ffmpeg instead of ffmpeg_3 #123350)
• hedgewars (hedgewars: use ffmpeg 4 #121851)
• oraclejdk (oraclejdk*: use latest ffmpeg #123513)
• k3b (k3b: ffmpeg_3 -> ffmpeg #121256)
• kid3 (ffmpeg_3 -> ffmpeg patches #120802)
• libextractor (libextractor: use ffmpeg instead of ffmpeg_3 #123344)
• libgroove (@andrewrk)
• liblinphone (linphone: use ffmpeg instead of ffmpeg_3 #123366)
• libsForQt5.libopenshot (libsForQt5.libopenshot: use ffmpeg instead of ffmpeg_3 #120600)
• libsForQt5.qtwebengine (libsForQt5.qtwebengine: use ffmpeg instead of ffmpeg_3 #120646)
• libvdpau-va-gl (libvdpau-va-gl: drop obsolete ffmpeg_3 dependency #123757)
• lightspark (lightspark: ffmpeg_3 -> ffmpeg #124330)
• linphone (linphone: use ffmpeg instead of ffmpeg_3 #123366)
• makemkv (makemkv: switch from ffmpeg_3 to ffmpeg #121475)
• manim (manim: use ffmpeg instead of ffmpeg_3 #123799)
• mediastreamer (linphone: use ffmpeg instead of ffmpeg_3 #123366)
• mediatomb (mediatomb: use ffmpeg instead of ffmpeg_3 #123487)
• megacmd (megacmd: temporarily remove ffmpeg dependency #123711)
• megasync (megasync: use ffmpeg instead of ffmpeg_3 #121236)
• mgba (ffmpeg_3 -> ffmpeg patches #120802)
• minidlna (minidlna: switch from ffmpeg_3 to ffmpeg #121089)
• moc (moc: always use newest ffmpeg #123486)
• moonlight-embedded (moonlight-embedded: build with ffmpeg 4 #121849)
• musikcube (musikcube: 0.96.5 -> 0.96.7 #121285)
• natron (@puffnfresh)
• nginxModules.video-thumbextractor (nginxModules.video-thumbextractor: update to unstable and switch to ffmpeg_4 #123881)
• nginxModules.vod (nginxModules.vod: update to 1.29 and switch ffmpeg_3 to ffmpeg #142114)
• nixos/modules/programs/ccache.nix
• nwjs (nwjs: use ffmpeg instead of ffmpeg_3 #123796)
• opencv2 (opencv: use ffmpeg instead of ffmpeg_3 #123365)
• opencv3 (opencv: use ffmpeg instead of ffmpeg_3 #123365)
• opencv4 (opencv: use ffmpeg instead of ffmpeg_3 #123365)
• openjfx11 (openjfx11: use ffmpeg instead of ffmpeg_3 #123500)
• openmw (openmw: ffmpeg_3 -> ffmpeg #123607)
• openrw (openrw: 2018-10-26 -> 2021-10-14 #141997)
• openscenegraph (openscenegraph: update from ffmpeg_3 to ffmpeg #121284)
• oven-media-engine (oven-media-engine: remove unused ffmpeg_3_4 import #155537)
• pangolin (pangolin: 2017-08-02 -> 0.6 #120735)
• peek (peek: use ffmpeg 4 #121812)
• pianobar (pianobar: use ffmpeg4 #121486)
• ppsspp (ffmpeg_3 -> ffmpeg patches #120802)
• pqiv (pqiv: use ffmpeg4 #121480)
• privateer (privateer: drop #123483)
• python2Packages.sipsimple (@pSub)
• python2Packages.thumbor (pythonPackages: migrate away from ffmpeg_3 #121257)
• python3Packages.ha-ffmpeg (python3Packages.ha-ffmpeg: does not depend on ffmpeg_3 #121187)
• python3Packages.imageio (pythonPackages: migrate away from ffmpeg_3 #121257)
• python3Packages.infoqscraper (pythonPackages: migrate away from ffmpeg_3 #121257)
• python3Packages.stytra (pythonPackages: migrate away from ffmpeg_3 #121257)
• qstopmotion (qstopmotion: use ffmpeg instead of ffmpeg_3 #123477)
• renpy (renpy: ffmpeg_3 -> ffmpeg #123464)
• retroArchCores (libretro.ppsspp: update to v1.11 and fix build againt ffmpeg 4.4 #123842)
• retroarchBare (retroarchBare: use ffmpeg instead of ffmpeg_3 #123514)
• retroshare (retroshare: drop #123345)
• ring-daemon (@Radvendii @olynch)
• spotify (spotify: upgrade dependency to ffmpeg4 #121468)
• squeezelite (squeezelite: use ffmpeg 4 #122336)
• togglesg-download (dropped)
• tvheadend (tvheadend: use ffmpeg_4 instead of ffmpeg_3 #135662)
• ultrastardx (ultrastardx: 2020.4.0 -> 2021-04-03 #123416)
• vdrPlugins.vaapidevice (vdrPlugins.vaapidevice: ffmpeg_3 -> ffmpeg #142141)
• vivaldi (vivaldi: use ffmpeg instead of ffmpeg_3 #123341)
• wxSVG (ffmpeg_3 -> ffmpeg patches #120802)
• xineLib (ffmpeg_3 -> ffmpeg patches #120802)
• xscast (xscast: use ffmpeg instead of ffmpeg_3 #123475)
• yaxg (yaxg: use ffmpeg instead of ffmpeg_3 #123474)
• yle-dl (yle-dl: use latest ffmpeg #120773)
• zoneminder (zoneminder: use ffmpeg instead of ffmpeg_3 #123343)
• amarok (amarok: use ffmpeg instead of ffmpeg_3 #120657)
• cantata (cantata: ffmpeg_3 -> ffmpeg #120837)
• carla (carla: remove ffmpeg as dependency #121076)
• ffmpeg-normalize (ffmpeg-normalize: 1.19.0 -> 1.22.1 #120848)
• get_iplayer (get_iplayer: 3.24 -> 3.27 #120863)
• libsForQt5.kfilemetadata (libsForQt5.kfilemetadata: ffmpeg_3 -> ffmpeg #120842)
• mplayer (mplayer: use ffmpeg instead of ffmpeg_3 #120643)
• python3Packages.ffmpeg-python (python3Packages.ffmpeg-python: replace ffmpeg_3 with ffmpeg #120782)
• qmmp (qmmp: switch from ffmpeg_3 to ffmpeg #120771)
• qtox (qtox: ffmpeg_3 -> ffmpeg #120839)
• r128gain (r128gain: replace ffmpeg_3 with ffmpeg #120783)
• ripgrep-all (ripgrep-all: use ffmpeg 4 #120831)
• streamlink (streamlink: 2.0.0 -> 2.1.1 #120601)
• tor-browser-bundle-bin (tor-browser-bundle-bin: use ffmpeg instead of ffmpeg_3 #120653)

Please remove the list of maintainers from packages that are done because GitHub won't allow me to ping more than a certain number of people.

script that I used to generate this list

The manually obtained file packages contains one attribute per line.

pkgs=$(cat packages)
for pkg in $pkgs; do
    pings=$(nix eval "(with import ./. { }; lib.concatStringsSep \" \" (map (m: \"@\" + m.github) ($pkg.meta.maintainers or [ ])))" --raw)
    if [ -z "$pings" ]; then
        echo "- [ ] $pkg" >> packages-with-maintainers
    else
        echo "- [ ] $pkg ($pings)" >> packages-with-maintainers
    fi
done

[Radvendii]

Ring daemon is already broken. You're welcome to switch the ffmpeg version, and if I ever get around to fixing that package, I'll make sure it works (or downgrade the ffmpeg version if absolutely necessary)

I can do it myself, but I'm assuming it's better to do one large PR changing as many as possible at once, than a million tiny PRs. Let me know if that's an incorrect assumption, and I should bump the ffmpeg version in ring-daemon

[dotlambda]

Ring daemon is already broken. You're welcome to switch the ffmpeg version, and if I ever get around to fixing that package, I'll make sure it works (or downgrade the ffmpeg version if absolutely necessary)

If a package is broken for a long time, we should consider removing it. But given that you want to fix it at some point, I guess we should keep this one.

I can do it myself, but I'm assuming it's better to do one large PR changing as many as possible at once, than a million tiny PRs. Let me know if that's an incorrect assumption, and I should bump the ffmpeg version in ring-daemon

It's easier to do in small PRs because nobody will be able to test whether all these packages still work after switching to a newer Ffmpeg.

[magnetophon]

Ardour builds and runs with regular ffmpeg.
A new release is expected any day now, is it OK if I fix it in the PR for that?

[andrewrk]

FYI I'm working on libgroove upstream to bump the dependency. If we want to remove libgroove from nix and resubmit it later when I've completed that work that would be fine with me. Afaik the only package that uses it is groove basin, which I am also the upstream author of and also in the (long) process of rebooting it. IMO these packages should be removed from nixpkgs for now and I will resubmit them in the future.

[AndersonTorres]

Ardour builds and runs with regular ffmpeg.
A new release is expected any day now, is it OK if I fix it in the PR for that?

If it is a security update, then it is better to fix it now and backpropagate to current stable releases.

If upstream Ardour sees no update in one week, update it regardless.

[AndersonTorres]

FYI I'm working on libgroove upstream to bump the dependency. If we want to remove libgroove from nix and resubmit it later when I've completed that work that would be fine with me. Afaik the only package that uses it is groove basin, which I am also the upstream author of and also in the (long) process of rebooting it. IMO these packages should be removed from nixpkgs for now and I will resubmit them in the future.

Is this a distant future? If it is broken but you are notifying us that it will be fixed, therefore I would suggest mark meta.broken = true; followed with a comment upstream notified a new version is coming or something like that.