[FFmpeg-devel] Reintroducing FFmpeg to Debian

Ondřej Surý ondrej at sury.org
Tue Aug 19 10:50:31 CEST 2014


On Sat, Aug 16, 2014, at 20:59, Russ Allbery wrote:
> The problem, however, is that taking security seriously, while possibly
> necessary, is not sufficient.  I'm glad that FFmpeg takes security
> seriously, but what FFmpeg needs is to *have fewer security bugs*.

JFTR the Coverity Scan results for ffmpeg looks promising:
https://scan.coverity.com/projects/54

I am not saying that we should base our decisions on Coverity Scan[1]
results, but this is one more metric that could help to weight the
decision to one or other direction. (Also this is not an advice what
should ffmpeg do...)

>From the security viewpoint, I would be also interested if ffmpeg
has tests and what is current code coverage. That could help avoiding
regressions when doing security updates.

1. There are also other tools: llvm/clang scan_build, OCLint, cppcheck
(and other metrics like Cyclomatic complexity)

Cheers,
Ondrej

P.S.: libav doesn't seem to be using Coverity Scan actively:
https://scan.coverity.com/projects/106
(last scan was 4 months ago)
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server


More information about the ffmpeg-devel mailing list