[FFmpeg-devel] [RFC] ffmpeg security

James Almer jamrial at gmail.com
Fri Feb 10 21:43:17 EET 2017

On 2/10/2017 4:03 PM, Michael Niedermayer wrote:
> Hi community
> what do you prefer about the ffmpeg-security alias ?
> in no particular order
> Should everyone on the alias be listed in MAINTAINERs under a
> ffmpeg-security point?

I'd say yes. From a transparency PoV, people should know who will
get access to such reports.

> Should for everyone who is on the alias a reason be listed in
> MAINTAINERs why (s)he is on the alias ?

IMO, there's no need for this. Read below.

> Should everyone on the alias have a reason beyond curiousity to be
> on the alias? (that is a reason that clearly benefits FFmpeg)

Yes, it should be about intending to fix reports and/or review fixes
made by others. Curiosity alone is not enough at all.

> Should everyone on the alias be a FFmpeg maintainer?

They should be trust worthy, active and ideally long standing
We have a few such people that don't "maintain" anything, as far
as having an entry in MAINTAINERS goes or implicitly maintaining
some specific part of the codebase, so that shouldn't be a

Of course, inaccuracies in that file should be fixed. Anyone
implicitly maintaining some module should add themselves to it.

> Should everyone on the alias be a FFmpeg supporter?
> (For example not bad-mouthing the project)

If by bad-mouthing you mean something like ill intended defamation
then sure, that's not acceptable.
People however often voice their frustration towards pretty much
anything, so I don't agree that should be a blocker at all.
Doubt many people would survive a google search for public irc or
email logs in that regard. The amount of not-so-kind words as
consequence of some questionable chunk of code is probably big.

> Should everyone on the alias be required to make a good effort to act
> in the best interrest of FFmpeg in relation to ffmpeg security ?

If the requirement to get in is intending to fix reports or review
fixes for said reports, then they are IMO already acting in the
best interest of the project.

More information about the ffmpeg-devel mailing list