[FFmpeg-devel] Reintroducing FFmpeg to Debian
Ondřej Surý
ondrej at sury.org
Tue Aug 19 10:50:31 CEST 2014
On Sat, Aug 16, 2014, at 20:59, Russ Allbery wrote:
> The problem, however, is that taking security seriously, while possibly
> necessary, is not sufficient. I'm glad that FFmpeg takes security
> seriously, but what FFmpeg needs is to *have fewer security bugs*.
JFTR the Coverity Scan results for ffmpeg looks promising:
https://scan.coverity.com/projects/54
I am not saying that we should base our decisions on Coverity Scan[1]
results, but this is one more metric that could help to weight the
decision to one or other direction. (Also this is not an advice what
should ffmpeg do...)
>From the security viewpoint, I would be also interested if ffmpeg
has tests and what is current code coverage. That could help avoiding
regressions when doing security updates.
1. There are also other tools: llvm/clang scan_build, OCLint, cppcheck
(and other metrics like Cyclomatic complexity)
Cheers,
Ondrej
P.S.: libav doesn't seem to be using Coverity Scan actively:
https://scan.coverity.com/projects/106
(last scan was 4 months ago)
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the ffmpeg-devel
mailing list