[FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
Michael Niedermayer
michael at niedermayer.cc
Wed Apr 24 00:46:43 EEST 2024
Hi
On Tue, Apr 23, 2024 at 07:04:08PM +0000, Javier Matos Denizac via ffmpeg-devel wrote:
> Dear FFmpeg team,
>
>
> My name is Javier Matos, and I am part of the vcpkg team at Microsoft. vcpkg is an open-source package manager designed to help developers manage C++ libraries across platforms in a consistent manner.
>
> I am reaching out to inquire if FFmpeg could host an official GitHub mirror for the `rtmpdump` repository on `github.com/FFmpeg`.
>
> Currently, vcpkg uses a mirrored version from `github.com/mirror/rtmpdump`, which is not maintained by the original authors, posing a significant supply chain risk due to potential unauthorized modifications.
>
> Alternatively, while we could switch to using the repository at `git://git.ffmpeg.org/rtmpdump.git`, this source lacks support for SHA512 checksums, complicating asset caching and security verification crucial for ensuring the integrity of the code during downloads.
Can you elaborate what the problem is ?
I would have thought https://git.ffmpeg.org/rtmpdump.git
is secure
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240423/c2623da9/attachment.sig>
More information about the ffmpeg-devel
mailing list