[FFmpeg-devel] [RFC] Commit tags : security

Michael Niedermayer michaelni
Fri Oct 26 03:59:38 CEST 2007


Hi

On Fri, Oct 26, 2007 at 12:14:25AM +0300, Ismail D?nmez wrote:
> Thursday 25 October 2007 Tarihinde 22:15:59 yazm??t?:
> > The security people at Gentoo are a bit puzzled about how to handle
> > security and ffmpeg, mostly because is relatively hard to figure when a
> > fix addresses a security issue or not. So far Michael just puts
> > "security" in the commit message and that helps a bit.

dont forget "sechole", "exploit", "arbitrary" !
and various misspellings of them ;)


> >
> > What they'd like in order to track better and help evaluating issues is
> > to have commit that fix probable issues marked with [sec] or even
> > better, if you have an idea about the severity [sec+{0,1,2,3,4,5}] with
> > 0 meaning "unsure" and 5 meaning high failure.

iam not against a [security] tag
[sec] seems a little short and might be confsing to someone not knowing what
it means

about [sec+<num>] that is a obfuscated mess, it would make more sense to use
something like
[security] [heap overflow] [possibly exploitable]

and if we do decide to use such tags then its VERY important that our pre
commit check script checks them and refuses the commit if there are unknown
tags. that way we avoid misspellings


> >
> > FFmpeg is quite widely used and giving clues on which revision should be
> > used as update is quite important to outside projects.
> 
> I would like a ffmpeg-packagers@ mailing list which is private to FFmpeg 
> packagers, then security issue could be pre-notified so that we can do 
> releases after commit is fixed to SVN.
> 
> I am asking too much maybe? :)

if you are asking for a mailing list where security issues and their fixes
could be discussed and people could post found security issues that would be
fine

but if you are asking us to delay commiting fixes to secholes to svn so that
you can prepare some fixed package this is completely out of question

it would increase the security of ffmpeg packages in distros
at the expense of the security of ffmpeg svn
it would also significantly delay not only the point where a security fix is
made public in svn but also when it is made available from distros
having it public earlier forces distros to work faster :)

so the time before a fix decreases and i belive this is desireable ...
especially if some bad guy/girl finds the sechole independantly or somehow
managed to get access to the ffmpeg-packagers@ mailing list postings
its not as if unencrypted email is that secure or the systems of the
subscribers would be all 100% secure

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I wish the Xiph folks would stop pretending they've got something they
do not.  Somehow I fear this will remain a wish. -- M?ns Rullg?rd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20071026/8d1e062d/attachment.pgp>



More information about the ffmpeg-devel mailing list