[FFmpeg-devel] [RFC] ffmpeg security

Steven Liu lingjiujianke at gmail.com
Sat Feb 11 14:10:06 EET 2017


2017-02-11 19:05 GMT+08:00 Michael Niedermayer <michael at niedermayer.cc>:

> On Sat, Feb 11, 2017 at 11:57:31AM +0800, Steven Liu wrote:
> > 2017-02-11 11:14 GMT+08:00 Michael Niedermayer <michael at niedermayer.cc>:
> >
> > > On Fri, Feb 10, 2017 at 04:43:17PM -0300, James Almer wrote:
> > > > On 2/10/2017 4:03 PM, Michael Niedermayer wrote:
> > > > > Hi community
> > > > >
> > > > > what do you prefer about the ffmpeg-security alias ?
> > > > > in no particular order
> > > > >
> > > > > Should everyone on the alias be listed in MAINTAINERs under a
> > > > > ffmpeg-security point?
> > > >
> > > > I'd say yes. From a transparency PoV, people should know who will
> > > > get access to such reports.
> > > >
> > > > >
> > > > > Should for everyone who is on the alias a reason be listed in
> > > > > MAINTAINERs why (s)he is on the alias ?
> > > >
> > > > IMO, there's no need for this. Read below.
> > > >
> > >
> > > > >
> > > > > Should everyone on the alias have a reason beyond curiousity to be
> > > > > on the alias? (that is a reason that clearly benefits FFmpeg)
> > > >
> > > > Yes, it should be about intending to fix reports and/or review fixes
> > > > made by others. Curiosity alone is not enough at all.
> > >
> > > ok
> > >
> > > We have 938 open bugs on trac
> > > We have 84 open bugs on trac that contain the keyword "regression"
> > > We have 55 open coverity issues
> > > We have 475 patches on patchwork needing some action, either having
> > > their status updated if its wrong or needing review/apply/reject
> > >
> > > someone wanting to review patches can do that
> > > someone wanting to fix issues can do that
> > >
> > > We have no open security issues on the ffmpeg-security alias, we have
> > > no patches that need a review, in fact i think we have had no patch
> > > there this year yet. (not countig ones referenced from ffmpeg-devel)
> > >
> > > So one wanting to review patches or fix issues shouldnt really have
> > > much desire on ffmpeg-security.
> > >
> > > We can add more people to it, but what does that fix?
> > > Shouldnt we rather try to find someone to fix the regressions on trac
> > > or go over the patches on patchwork ?
> > >
> > I saw "连一汉" sometime report some security issue and fixed by Michael.
> > I think we need a ffmpeg-security to report security issue and review
> patch
> > in it.
> > And i can join to fix it :)
>
> sounds like you have alot of time
> did you see the 36 issues about hls on trac: ?
> https://trac.ffmpeg.org/query?status=new&status=open&status=
> reopened&keywords=~hls&col=id&col=summary&col=status&col=
> type&col=priority&col=component&col=version&order=priority
>
> Ok, Let me try to fix them ;)

> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> If you fake or manipulate statistics in a paper in physics you will never
> get a job again.
> If you fake or manipulate statistics in a paper in medicin you will get
> a job for life at the pharma industry.
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>


More information about the ffmpeg-devel mailing list