[FFmpeg-devel] [RFC] samples.ffmpeg.org

Michael Niedermayer michael at niedermayer.cc
Tue Aug 6 13:05:15 EEST 2019 

On Mon, Aug 05, 2019 at 09:03:32PM +0200, Paul B Mahol wrote:
> On Mon, Aug 5, 2019 at 8:55 PM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
> 
> > On Mon, Aug 05, 2019 at 05:57:47PM +0200, Paul B Mahol wrote:
> > > On Mon, Aug 5, 2019 at 5:45 PM Michael Niedermayer
> > <michael at niedermayer.cc>
> > > wrote:
> > >
> > > > On Mon, Aug 05, 2019 at 05:24:31PM +0200, Paul B Mahol wrote:
> > > > > On Mon, Aug 5, 2019 at 5:21 PM Michael Niedermayer
> > > > <michael at niedermayer.cc>
> > > > > wrote:
> > > > >
> > > > > > On Mon, Aug 05, 2019 at 02:44:29AM +0000, Li, Zhong wrote:
> > > > > > > > From: ffmpeg-devel [mailto:ffmpeg-devel-bounces at ffmpeg.org] On
> > > > Behalf
> > > > > > > > Of Michael Niedermayer
> > > > > > > > Sent: Monday, August 5, 2019 3:45 AM
> > > > > > > > To: FFmpeg development discussions and patches
> > > > > > > > <ffmpeg-devel at ffmpeg.org>
> > > > > > > > Subject: Re: [FFmpeg-devel] [RFC] samples.ffmpeg.org
> > > > > > > >
> > > > > > > > On Sun, Aug 04, 2019 at 05:42:14PM +0100, Kieran Kunhya wrote:
> > > > > > > > > On Sat, 3 Aug 2019 at 18:35, Michael Niedermayer
> > > > > > > > > <michael at niedermayer.cc>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi all
> > > > > > > > > >
> > > > > > > > > > It seems we do not have a list of people volunteering to do
> > > > uploads
> > > > > > > > > > to samples. And no place to send such requests to except
> > here,
> > > > > > where
> > > > > > > > > > they sometimes get ignored.
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > Just give everyone with push access right to upload.
> > > > > > > >
> > > > > > > > Upload currently requires an account on the server, giving
> > > > everyone an
> > > > > > > > account is a security risk.
> > > > > > > > It also doesnt really make sense to give someone access who
> > doesnt
> > > > need
> > > > > > > > access.
> > > > > > > > If someone wants to take care of uploads (s)he can have access.
> > > > > > > >
> > > > > > > > Of course if theres a majority wanting everyone with push
> > access to
> > > > > > have an
> > > > > > > > account on the server, sure we will do that but i dont think
> > its a
> > > > > > good idea.
> > > > > > > > IMHO its always better (aka more secure) if access is kept at a
> > > > > > minimum.
> > > > > > > >
> > > > > > > > besides, it would be a bit of work to keep the list of who has
> > push
> > > > > > access and
> > > > > > > > who has sampeles access synchronized. Its different servers and
> > > > > > different
> > > > > > > > types of "accounts"
> > > > > > > > and the whole point from my point of view is that id like to
> > spend
> > > > my
> > > > > > time on
> > > > > > > > other areas on FFmpeg While keeping accounts synchronized
> > would be
> > > > > > > > probably more work than doing the uploads myself
> > > > > > > >
> > > > > > > > Thanks
> > > > > > >
> > > > > >
> > > > > > > My suggestions would be:
> > > > > > > 1. If there is any volunteer to be fate-samples MAINTAINERS,
> > tell him
> > > > > > how to apply and update the FATE MAINTAINERS list.
> > > > > >
> > > > > > Iam not sure if there is someone, but if so (s)he should send an
> > email
> > > > to
> > > > > > root or to ffmpeg-devel (again in case he did long ago already)
> > > > > >
> > > > >
> > > > > You are not sure that you gave someone upload access to fate samples?
> > > > > Perhaps you forgot?
> > > >
> > > > iam not sure if someone volunteered and did not receive access as at a
> > > > similar time other people suggested that the existing people with
> > access
> > > > could handle it and no new uploaders where needed.
> > > >
> > > > So yeah, short form: i forgot the name from an email months or years
> > ago.
> > > >
> > > >
> > > Can you check now who have access?
> >
> > Yes,
> >
> > compn
> > carl
> > reimar
> > beastd,
> > lou
> > ubitux
> > paul
> > hendrik
> > derek,
> > james almer
> > martin vignali
> > thilo
> > atomnuker
> > peter ross
> 
> 
> Great.
> 
> Rule 777. of security: do not expose all people which can be used to break
> security.

the list was posted previously already

and the public MAINTAINERS file provides a more complete superset for any
nasty things

but sure you have a point. 
In a open source project theres the tradeoff about openness though and
many times the list of people having access to something is available to 
the public.


> 
> I did not wanted to list all, just to confirm its me on that list.

And you asked "do i have access?" ? or "Can you check now who have access?" 
I mean you know the admin can check that so the litteral form of the 2nd
question makes no sense and a reply to that would not have even awnsered
what you want to know.
as in "yes i can check" doesnt tell you if you have access.

I guess the conclusion is your questions are bizare and I should be more
careful security wise. More carefullness about security can never hurt

Thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

"I am not trying to be anyone's saviour, I'm trying to think about the
 future and not be sad" - Elon Musk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190806/9d241cf6/attachment.sig>

More information about the ffmpeg-devel mailing list