[Ffmpeg-devel] Coverity defect scan
Sat Mar 11 09:00:38 CET 2006
On Sat, Mar 11, 2006 at 01:37:10AM +0100, Michael Niedermayer wrote:
> On Fri, Mar 10, 2006 at 11:51:02PM +0100, Diego Biurrun wrote:
> > On Fri, Mar 10, 2006 at 11:43:54PM +0100, Michael Niedermayer wrote:
> > >
> > > btw, why is the list not available to the public?
> > Some of these bugs are security-relevant...
> ahh which is the best awnser
> 1. some gcc warnings too
> 2. which are? ;)
> 3. publishing sec holes is the best way to get them fixed quickly, not
> publishing them leads to 6+ month of delay (see cvslog if you want to
> know who it was who didnt fix known and trivial secholes, i fixed the
> ones i found in my code, robert togni also fixed all in his instantly ...)
Security holes should be published, but that doesn't mean they should be
published immediately. Giving the authors a bit of time of time to
clean up their stuff is common (and good) practice. Now if the authors
don't react or are too slow..
> 4. do you really think that registration will keep any bad guys from getting
> their hands on this list if they want it? hell its not even https ...
I was under the impression that they were checking who gets registered.
I may be wrong, though.
More information about the ffmpeg-devel