[FFmpeg-devel] core infrastructure badge for FFmpeg
Carl Eugen Hoyos
cehoyos at ag.or.at
Wed Jul 6 11:02:55 EEST 2016
Ganesh Ajjanagadde <gajjanag <at> mit.edu> writes:
> > No question, it would be better if tests would be added quicker ...
> I do not doubt this, but at the moment we do not enforce it.
> Do you see any trouble in enforcing this requirement from
> major release to next major release?
I am against adding such a "hard" requirement.
I believe we have filters that are impossible / very
difficult to test.
> >> 17. There MUST be no unpatched vulnerabilities of
> >> medium or high severity that have been publicly
> >> known for more than 60 days.
> >> Do we guarantee this?
(What is "medium or high severity"? I only remember now
that concat protocol was "low" and that we fixed it after
a few days.)
I am sorry if I completely misunderstand this sentence
but I am 100% sure we do not guarantee that we fix future
vulnerabilities within a given time.
(on the contrary, see our license)
Additionally, I suspect there is no open source project
that can guarantee this.
In case I do understand the above sentence correctly, I
believe we should not try to apply (read "phony").
More information about the ffmpeg-devel