[FFmpeg-devel] [rfc] ffmpeg security issue mailing list

James Almer jamrial at gmail.com
Thu Feb 9 17:02:17 EET 2017

On 2/9/2017 10:24 AM, Kieran Kunhya wrote:
>> I dont think we should give access to ffmpeg-security to everyone who
>> wants to be on the list. This is of course something the community
>> has to decide and not me, iam just err-ing on the safe side and am very
>> restrictive on who is added.
> This is a bogus argument considering how many people have commit access and
> can commit whatever.
> Kieran

There's a big difference between git commit access, where bad or rogue
commits can be easily undone, and access to the security email address,
where 0 day exploits and full steps to reproduce may be available.

You and wm4 should IMO be ok to be in it, but we really need to set
some limits and requirements and not offer access like candy as we have
been doing with git, otherwise the joke about running ffmpeg behind
three layers of sandboxing will become an actually tempting idea to
anyone wanting to use it from now on.

More information about the ffmpeg-devel mailing list