[FFmpeg-devel] [rfc] ffmpeg security issue mailing list

Michael Niedermayer michael at niedermayer.cc
Thu Feb 9 16:54:04 EET 2017

On Thu, Feb 09, 2017 at 09:07:39AM -0500, Compn wrote:
> On Thu, 09 Feb 2017 13:24:53 +0000, Kieran Kunhya <kierank at obe.tv>
> wrote:
> > >
> > > I dont think we should give access to ffmpeg-security to everyone who
> > > wants to be on the list. This is of course something the community
> > > has to decide and not me, iam just err-ing on the safe side and am very
> > > restrictive on who is added.
> > >
> > 
> > This is a bogus argument considering how many people have commit access and
> > can commit whatever.
> honestly with the fearmongering? are you saying the russian ffmpeg
> developers can just commit whatever they want whenever they want?! also
> there are some chinese ffmpeg developers! even the president says china
> cant be trusted! the russians hacked the election and now they will put
> backdoors in ffmpeg!?!?!
> (this email is satire btw... i do not believe russia affected the us
> election, nor brexit. and china is cool with me.)

> if kierank and wm4 want on the -security list, please put them on the
> security list.

> i doubt anyone will vote against their inclusion on the
> list.

maybe, but does anyone really think thats how ffmpeg-security
should be run ?

I think FFmpeg has a very good security history, theres a "name" to
loose here. My oppinion is that there should be a rule whatever that
rule is, and the community should decide this rule.

If the community wants only people who need access for their work in
FFmpeg to have access to ffmpeg-security then thats the rule.

If the community wants every FFmpeg maintainer who wants to be on the
alias to be added, then thats the rule.

We can do more or less or between these 2 but theres a relation
between what we do and how professional this is.
For example giving everyone access to security would likely be seen
with some distrust by companies and security researchers. And the
proportion of security mails being sent to ffmpeg-security might drop
as a result of that.
I mean if you were a company who has customers and has a warranty/
obligation toward them, would you post details about security issues
to a semi public list ? Which if leaked before its fixed could cause
massive damage to your customers and indirectly to your company?
Also our users depend on security stuff staying private until issues
are fixed ...
All this is why iam for a very restrictive policy on who can access
the ffmpeg-security stuff.

Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170209/7df3a845/attachment.sig>

More information about the ffmpeg-devel mailing list