[FFmpeg-devel] core infrastructure badge for FFmpeg

Carl Eugen Hoyos cehoyos at ag.or.at
Wed Jul 6 11:02:55 EEST 2016

Ganesh Ajjanagadde <gajjanag <at> mit.edu> writes:

> > No question, it would be better if tests would be added quicker ...
> I do not doubt this, but at the moment we do not enforce it.
> Do you see any trouble in enforcing this requirement from 
> major release to next major release?

I am against adding such a "hard" requirement.
I believe we have filters that are impossible / very 
difficult to test.


> >>  17. There MUST be no unpatched vulnerabilities of 
> >> medium or high severity that have been publicly
> >> known for more than 60 days.
> >>  Do we guarantee this?

(What is "medium or high severity"? I only remember now 
that concat protocol was "low" and that we fixed it after 
a few days.)

I am sorry if I completely misunderstand this sentence 
but I am 100% sure we do not guarantee that we fix future 
vulnerabilities within a given time.
(on the contrary, see our license)

Additionally, I suspect there is no open source project 
that can guarantee this.

In case I do understand the above sentence correctly, I 
believe we should not try to apply (read "phony").

Carl Eugen

More information about the ffmpeg-devel mailing list