[FFmpeg-devel] [EXTERNAL] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
Derek Buitenhuis
derek.buitenhuis at gmail.com
Fri Apr 26 03:02:14 EEST 2024
Hi,
Replies inline.
On 4/26/2024 12:10 AM, Javier Matos Denizac via ffmpeg-devel wrote:
> Actually, I noticed that you publish release tarballs -> http://rtmpdump.mplayerhq.hu/download/, but I don’t see a release tarball for 2.4. Would y’all be willing to publish a release for 2.4 and maybe mint and publish a release tarball for 2.6?
As far as I can tell, the rtmpdump author has, move away from tarballs
and only uses git tags, now, as per https://rtmpdump.mplayerhq.hu/, which
itself seems outdated.
You may have better luck contacting its main contributor (Howard Chu), on
rtmpdump's own mailing list (https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump)
or directly. FFmpeg only provides infrastructure for it, to my knowledge.
> As for why SHA-512, we use SHA-512 checksums to verify the integrity of the file and as an identifier for our asset caching mechanism. That way we can identify if we have already downloaded the tarball and avoid downloading it again.
It was unclear you were talking about tarballs as you only referred to GitHub and
the FFmpeg-run git server...
That said, I am unsure why git is not considered secure / verifiable enough, compared
to a tarball. I would actually argue the opposite is true for autogenerated tarballs
like GitHub provides.
- Derek
More information about the ffmpeg-devel
mailing list