[FFmpeg-devel] [REQUEST] ffmpeg-security subscription

[Reimar Döffinger]

On 15.08.2019, at 13:15, Vittorio Giovara <vittorio.giovara at gmail.com> wrote:
> I think being on the security list may have some professional implications
> too: if you use ffmpeg in your $dayjob, being notified of security problem
> in ffmpeg, and acting upon it before the fix lands in the tree, may be
> crucial. I think Paul is lamenting the fact that being selected for the
> security list is extremely arbitrary and there is no process described on
> how to joining it.

Sorry, but just any $dayjob I really don't see relevant at all.
If there is a huge user of AND major contributor to FFmpeg with vastly higher risk of attack that is hard to mitigate in any other way they might have an argument. I.e. if there is a NEED because it is the only way to protect a significant user/number of users.
But it still most likely is a misuse. The security list is about receiving reports and responding to it from our side.
Using it to forewarn users would either mean letting a large number of people on it (I hope we agree that is obviously stupid) or disadvantaging > 99% of our users.
If someone has concerns in this area and I'm sure there's ways for them to contribute.
I still don't see it would need access to the security list though, but it might lead to being invited.

Of course this is just my opinion and I am happy to learn:
are there other projects describing such a process?
For the Linux kernel I only know about such a thing for the list that is for communicating and aligning with distributions.
Something comparable does not currently exist for FFmpeg.