[Ffmpeg-devel] Coverity defect scan

Diego Biurrun diego
Sat Mar 11 09:00:38 CET 2006


On Sat, Mar 11, 2006 at 01:37:10AM +0100, Michael Niedermayer wrote:
> 
> On Fri, Mar 10, 2006 at 11:51:02PM +0100, Diego Biurrun wrote:
> > On Fri, Mar 10, 2006 at 11:43:54PM +0100, Michael Niedermayer wrote:
> > > 
> > > btw, why is the list not available to the public?
> > 
> > Some of these bugs are security-relevant...
> 
> ahh which is the best awnser
> 1. some gcc warnings too
> 2. which are? ;)
> 3. publishing sec holes is the best way to get them fixed quickly, not
>    publishing them leads to 6+ month of delay (see cvslog if you want to
>    know who it was who didnt fix known and trivial secholes, i fixed the
>    ones i found in my code, robert togni also fixed all in his instantly ...)

Security holes should be published, but that doesn't mean they should be
published immediately.  Giving the authors a bit of time of time to
clean up their stuff is common (and good) practice.  Now if the authors
don't react or are too slow..

> 4. do you really think that registration will keep any bad guys from getting
>    their hands on this list if they want it? hell its not even https ...

I was under the impression that they were checking who gets registered.
I may be wrong, though.

Diego





More information about the ffmpeg-devel mailing list