[FFmpeg-devel] [RFC] ffmpeg security

Steven Liu lingjiujianke at gmail.com
Sat Feb 11 05:57:31 EET 2017 

2017-02-11 11:14 GMT+08:00 Michael Niedermayer <michael at niedermayer.cc>:

> On Fri, Feb 10, 2017 at 04:43:17PM -0300, James Almer wrote:
> > On 2/10/2017 4:03 PM, Michael Niedermayer wrote:
> > > Hi community
> > >
> > > what do you prefer about the ffmpeg-security alias ?
> > > in no particular order
> > >
> > > Should everyone on the alias be listed in MAINTAINERs under a
> > > ffmpeg-security point?
> >
> > I'd say yes. From a transparency PoV, people should know who will
> > get access to such reports.
> >
> > >
> > > Should for everyone who is on the alias a reason be listed in
> > > MAINTAINERs why (s)he is on the alias ?
> >
> > IMO, there's no need for this. Read below.
> >
>
> > >
> > > Should everyone on the alias have a reason beyond curiousity to be
> > > on the alias? (that is a reason that clearly benefits FFmpeg)
> >
> > Yes, it should be about intending to fix reports and/or review fixes
> > made by others. Curiosity alone is not enough at all.
>
> ok
>
> We have 938 open bugs on trac
> We have 84 open bugs on trac that contain the keyword "regression"
> We have 55 open coverity issues
> We have 475 patches on patchwork needing some action, either having
> their status updated if its wrong or needing review/apply/reject
>
> someone wanting to review patches can do that
> someone wanting to fix issues can do that
>
> We have no open security issues on the ffmpeg-security alias, we have
> no patches that need a review, in fact i think we have had no patch
> there this year yet. (not countig ones referenced from ffmpeg-devel)
>
> So one wanting to review patches or fix issues shouldnt really have
> much desire on ffmpeg-security.
>
> We can add more people to it, but what does that fix?
> Shouldnt we rather try to find someone to fix the regressions on trac
> or go over the patches on patchwork ?
>
I saw "连一汉" sometime report some security issue and fixed by Michael.
I think we need a ffmpeg-security to report security issue and review patch
in it.
And i can join to fix it :)

>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The worst form of inequality is to try to make unequal things equal.
> -- Aristotle
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>

More information about the ffmpeg-devel mailing list