[FFmpeg-devel] [REQUEST] ffmpeg-security subscription
Paul B Mahol
onemda at gmail.com
Thu Aug 15 20:38:17 EEST 2019
On Thu, Aug 15, 2019 at 7:20 PM Reimar Döffinger <Reimar.Doeffinger at gmx.de>
wrote:
> On 15.08.2019, at 13:15, Vittorio Giovara <vittorio.giovara at gmail.com>
> wrote:
> > I think being on the security list may have some professional
> implications
> > too: if you use ffmpeg in your $dayjob, being notified of security
> problem
> > in ffmpeg, and acting upon it before the fix lands in the tree, may be
> > crucial. I think Paul is lamenting the fact that being selected for the
> > security list is extremely arbitrary and there is no process described on
> > how to joining it.
>
> Sorry, but just any $dayjob I really don't see relevant at all.
> If there is a huge user of AND major contributor to FFmpeg with vastly
> higher risk of attack that is hard to mitigate in any other way they might
> have an argument. I.e. if there is a NEED because it is the only way to
> protect a significant user/number of users.
> But it still most likely is a misuse. The security list is about receiving
> reports and responding to it from our side.
> Using it to forewarn users would either mean letting a large number of
> people on it (I hope we agree that is obviously stupid) or disadvantaging >
> 99% of our users.
> If someone has concerns in this area and I'm sure there's ways for them to
> contribute.
> I still don't see it would need access to the security list though, but it
> might lead to being invited.
>
> Of course this is just my opinion and I am happy to learn:
> are there other projects describing such a process?
> For the Linux kernel I only know about such a thing for the list that is
> for communicating and aligning with distributions.
> Something comparable does not currently exist for FFmpeg.
>
So you, as developer are higher valued and more useful than other
developers?
This is discrimination.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list