[FFmpeg-devel] [REQUEST] ffmpeg-security subscription
Vittorio Giovara
vittorio.giovara at gmail.com
Thu Aug 15 14:15:07 EEST 2019
On Wed, Aug 14, 2019 at 10:11 PM Reimar Döffinger <Reimar.Doeffinger at gmx.de>
wrote:
> On 14.08.2019, at 11:45, Paul B Mahol <onemda at gmail.com> wrote:
> > I strongly disagree with you. Why some people have subscription to
> security
> > mailing list and I'm not allowed also?
>
> Long version, explaining to the best of my knowledge and memory:
> The people on it are on it because at some point it was considered
> necessary to have them on it.
> You have not brought an argument why the project would need you to be on
> it in order to deal with issues in a satisfactory way.
> Generally only basic technical skills are needed, enough to discuss the
> issue and potentially hand over to the maintainer. And whoever is involved
> in the releases is generally needed.
> Beyond that I would describe it as a PR function (giving a polite and
> level headed response to a security researcher claiming something that is
> obvious nonsense to an FFmpeg developer tends to make things go much
> smoother), which I would have assumed to not be among your aspirations.
> It's definitely not about a "right" or a "priviledge" or having "earned"
> it, it's about need.
> And when possible a bit of trust (the personal kind, not just the "not
> malicious" kind which is of course an absolute requirement), though that
> might be more relevant for projects like Linux where really bad stuff
> causing stress and possibly conflicts tends to hit. Flame wars is the last
> thing one needs in the middle of dealing with a bad issue.
>
> TL;DR is probably: one doesn't end up on security lists by asking to be on
> it but by persons Y and Z saying "we should/need to have person X on the
> list".
> I am not aware of any such wishes (though admittedly I wouldn't be the one
> contacted about it I guess).
>
I think being on the security list may have some professional implications
too: if you use ffmpeg in your $dayjob, being notified of security problem
in ffmpeg, and acting upon it before the fix lands in the tree, may be
crucial. I think Paul is lamenting the fact that being selected for the
security list is extremely arbitrary and there is no process described on
how to joining it.
--
Vittorio
More information about the ffmpeg-devel
mailing list