[FFmpeg-user] What is the difference between versions of ffmpeg?

Reindl Harald h.reindl at thelounge.net
Sat Oct 4 23:15:53 CEST 2014


Am 04.10.2014 um 22:49 schrieb Phil Rhodes:
>> there is a *large* difference between using a distributions>repo with signed packages or click for every app you want>to use on a different random website clueless about who>built the binary
> I don't think either situation really guarantees anything, does it?

you stopped to read the lines after your quote
your mistake!

a signed package is different from random crap and the difference starts 
by click on the download link - you are sure the DNS you are using is 
trustable? in case of a signed package even if it is compromised by a 
MITM the package manager would refuse to install / update the package 
until the MITM was able to steal the signing key of the distribution you 
are using

> I'm not in a position to check every line of code in a piece of software before I build it

me too - but i somehow trust well known upstream developers which is not
the case for random binarys where nobody knows if the unmodified 
upstream source was used

in case of distribution repos you know at least that they are signed and 
changes/updates *likely* reviewed or if something bad happend some news 
will tell about

in case of a hacked random server you used to download you know nothing 
nor will any press take notice in case of a intrusion - if that happens 
for opensource projects with some reputation you will hear baout



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-user/attachments/20141004/4dab6704/attachment.asc>


More information about the ffmpeg-user mailing list