[FFmpeg-devel] [REQUEST] ffmpeg-security subscription
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Wed Aug 14 23:11:04 EEST 2019
On 14.08.2019, at 11:45, Paul B Mahol <onemda at gmail.com> wrote:
> I strongly disagree with you. Why some people have subscription to security
> mailing list and I'm not allowed also?
Long version, explaining to the best of my knowledge and memory:
The people on it are on it because at some point it was considered necessary to have them on it.
You have not brought an argument why the project would need you to be on it in order to deal with issues in a satisfactory way.
Generally only basic technical skills are needed, enough to discuss the issue and potentially hand over to the maintainer. And whoever is involved in the releases is generally needed.
Beyond that I would describe it as a PR function (giving a polite and level headed response to a security researcher claiming something that is obvious nonsense to an FFmpeg developer tends to make things go much smoother), which I would have assumed to not be among your aspirations.
It's definitely not about a "right" or a "priviledge" or having "earned" it, it's about need.
And when possible a bit of trust (the personal kind, not just the "not malicious" kind which is of course an absolute requirement), though that might be more relevant for projects like Linux where really bad stuff causing stress and possibly conflicts tends to hit. Flame wars is the last thing one needs in the middle of dealing with a bad issue.
TL;DR is probably: one doesn't end up on security lists by asking to be on it but by persons Y and Z saying "we should/need to have person X on the list".
I am not aware of any such wishes (though admittedly I wouldn't be the one contacted about it I guess).
More information about the ffmpeg-devel
mailing list