[MPlayer-dev-eng] MPlayer Security

Bernd Ernesti mplayer-dev-eng at lists.veego.de
Sat Apr 8 18:17:58 CEST 2006 

On Sat, Apr 08, 2006 at 06:12:09PM +0300, Ivan Kalvachev wrote:
> 2006/4/7, Bernd Ernesti <mplayer-dev-eng at lists.veego.de>:
> > On Fri, Apr 07, 2006 at 10:10:18AM +0300, Ivan Kalvachev wrote:
> > > Some days ago on irc I asked Diego to create maillist
> > > mplayer-security. Maillist could be created only by root, and he have
> > > the root account.
> > > His reply was radder strange and the maillist is not yet created.
> > >
> > > I kindly ask whoever have root access to create mplayer-security maillist.
> >
> > I wouldn't do it if I had root access.
> >
> > You should make your points, why you would want one and not just demanding to
> > create it.
> 
> Are you nuts or just irresponsible?

No, but I found it a little strange that Diego didn't create it.
So, there must be a reason for that and not hearing what you said in
this reply made me wonder why.

> It have been discussed before that we need maillist, where security
> problems could be reported and mplayer developers could discuss them
> in private.

This is imho the wrong way for doing it. See below.

> I think that allowing mails that have [SECURITY] or [ADVISORY] in the
> subject to pass even when send by people not subscibed, could do the
> trick.

You can't expect that all people use this tag while sending a security
problem.
There should be a single email address for security problems, with a
few people getting this mails. Then they should contact other people,
who can work on this problem, maybe on the new mailing list which you
want, but then you have a lot of people who know about this security
problem in advance and it gets more likely that this problem could
leak.

A security problem should be shared only with people who need to know
about it, and not with people who don't need to know about it in
advanced.

> It is very harmful security problems to be reported in (the highest
> volume maillist) mplayer-users , as it is now. Especially if they
> don't come with fix.

Yeah, that is not a good idea to direct people to mplayer-users for
reporting security related problems.

Which brings us down to the point that mplayer needs a new release.
May that be only a patch or full release.
The security list or whatever email address will be used is a good
idea, but won't bring us anything if there will be nothing coming
out of it (patch or release).

Bernd

More information about the MPlayer-dev-eng mailing list