Choose & verify a variant¶
Every release ships two modules. Pick by licence, then verify before you trust it.
Which one?¶
graph TD
A[Do you need libx264-quality H.264 encoding?] -->|No| L[ffmpeg-wasi-lgpl.wasm]
A -->|Yes| B[Can your distribution accept GPL?]
B -->|Yes| G[ffmpeg-wasi-gpl.wasm]
B -->|No| Lffmpeg-wasi-lgpl.wasm— the default. LGPL-2.1+, proprietary-compatible. H.264 encode via openh264 (or omitted); everything else in the baseline.ffmpeg-wasi-gpl.wasm— LGPL plus--enable-gpl+ libx264 for best-in-class H.264 encoding. The artifact is GPL-2.0+.
When in doubt, start with LGPL. See the licensing model for the full picture (and why shipping both together is clean).
Verify the checksum¶
Each release includes checksums.txt. Always verify the module you downloaded:
# Download the module + checksums.txt from the release, then:
sha256sum -c checksums.txt --ignore-missing
# ffmpeg-wasi-lgpl.wasm: OK
Or check a single file against the published value:
Pin it in a consumer¶
When loading the module from Go via afmpeg, pin both the URL and the SHA-256 so an unexpected artifact is rejected:
rt, _ := afmpeg.New(ctx, afmpeg.WithModuleURL(
"https://gitlab.com/api/v4/projects/83847809/packages/generic/ffmpeg-wasi/n8.1.2-1/ffmpeg-wasi-lgpl.wasm",
afmpeg.WithSHA256("0f338dac4ed1be3819aaf26f1cdeef119e817b43103f1460ca19354ea56bacc9"),
))
Each release lists every asset's URL
and checksums.txt. For n8.1.2-1 the GPL module's SHA-256 is
093c9e084fa82780e7247cd7457c3742e398fc3075ba803eef6924cc72512586. For exactly what went into
a build (FFmpeg version, dependencies, configure line, licence), read its provenance.json.