[FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
Javier Matos Denizac
javiermat at microsoft.com
Tue Apr 23 22:04:08 EEST 2024
Dear FFmpeg team,
My name is Javier Matos, and I am part of the vcpkg team at Microsoft. vcpkg is an open-source package manager designed to help developers manage C++ libraries across platforms in a consistent manner.
I am reaching out to inquire if FFmpeg could host an official GitHub mirror for the `rtmpdump` repository on `github.com/FFmpeg`.
Currently, vcpkg uses a mirrored version from `github.com/mirror/rtmpdump`, which is not maintained by the original authors, posing a significant supply chain risk due to potential unauthorized modifications.
Alternatively, while we could switch to using the repository at `git://git.ffmpeg.org/rtmpdump.git`, this source lacks support for SHA512 checksums, complicating asset caching and security verification crucial for ensuring the integrity of the code during downloads.
An official GitHub mirror hosted by FFmpeg would address these issues by providing a secure, verifiable source that we can integrate with vcpkg. Thank you for considering this request. I look forward to your feedback.
Best regards,
Javier Matos
More information about the ffmpeg-devel
mailing list