[FFmpeg-devel] [REQUEST] ffmpeg-security subscription

Paul B Mahol onemda at gmail.com
Fri Aug 16 12:33:30 EEST 2019 

On Fri, Aug 16, 2019 at 3:39 AM Reimar Döffinger <Reimar.Doeffinger at gmx.de>
wrote:

>
>
> On 15.08.2019, at 19:38, Paul B Mahol <onemda at gmail.com> wrote:
>
> > On Thu, Aug 15, 2019 at 7:20 PM Reimar Döffinger <
> Reimar.Doeffinger at gmx.de>
> > wrote:
> >
> >> On 15.08.2019, at 13:15, Vittorio Giovara <vittorio.giovara at gmail.com>
> >> wrote:
> >>> I think being on the security list may have some professional
> >> implications
> >>> too: if you use ffmpeg in your $dayjob, being notified of security
> >> problem
> >>> in ffmpeg, and acting upon it before the fix lands in the tree, may be
> >>> crucial. I think Paul is lamenting the fact that being selected for the
> >>> security list is extremely arbitrary and there is no process described
> on
> >>> how to joining it.
> >>
> >> Sorry, but just any $dayjob I really don't see relevant at all.
> >> If there is a huge user of AND major contributor to FFmpeg with vastly
> >> higher risk of attack that is hard to mitigate in any other way they
> might
> >> have an argument. I.e. if there is a NEED because it is the only way to
> >> protect a significant user/number of users.
> >> But it still most likely is a misuse. The security list is about
> receiving
> >> reports and responding to it from our side.
> >> Using it to forewarn users would either mean letting a large number of
> >> people on it (I hope we agree that is obviously stupid) or
> disadvantaging >
> >> 99% of our users.
> >> If someone has concerns in this area and I'm sure there's ways for them
> to
> >> contribute.
> >> I still don't see it would need access to the security list though, but
> it
> >> might lead to being invited.
> >>
> >> Of course this is just my opinion and I am happy to learn:
> >> are there other projects describing such a process?
> >> For the Linux kernel I only know about such a thing for the list that is
> >> for communicating and aligning with distributions.
> >> Something comparable does not currently exist for FFmpeg.
> >>
> >
> > So you, as developer are higher valued and more useful than other
> > developers?
>
> I have no idea where you get that from anything I said, do you think the
> bus driver is higher valued and more useful than anyone else on the bus
> because they don't let just anyone who wants drive it?
>

Thank you for confirming that you are discriminatory against other
developers.


> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list