[FFmpeg-devel] [WIP] False positives on Coverity

Michael Niedermayer michael at niedermayer.cc
Tue Jun 11 18:46:17 EEST 2024 

On Mon, Jun 10, 2024 at 02:45:14PM +0200, Vittorio Giovara wrote:
> On Mon, Jun 10, 2024 at 2:41 PM Timo Rothenpieler <timo at rothenpieler.org>
> wrote:
> 
> > > In either case, my point is that email is not a good system for these
> > > reports, because they cannot be tracked nor analyzed, and if they do
> > pose a
> > > security risk they shouldn't be advertised so openly. Having a small
> > bounty
> > > with STM funds would probably be a more efficient way at fixing them than
> > > asking people to take a look at them on the ML.
> >
> > I'm not sure what you mean.
> > E-Mail is not the primary system for these reports.
> >
> 
> I'm referring to Micheal's email with the list of latest reports.
> 
> They're just notifications about new stuff, with a rough summary of each
> > issue, if there aren't too many.
> > The primary way to track and handle them is via their website.
> >
> 
> Again, the one that not everybody has access to, despite being available.

coverity was and is accessable to every FFmpeg developer who needs&wants access


> If there is any actual interest in fixing them I'm saying we should make
> them more visible and more accessible, that's all.

They are accessable to every FFmpeg developer who needs and wants access and
they are vissible as coverity sends out emails whenever new issues are detected


> If they are mostly false
> positives, then why are we even talking about them?

I have no idea why people talk about them, what i know, is that iam posting
the list of false positives to the ML because we agreed to post that list here
as part of the deliverables for the souvereign tech fund

Thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threats 
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240611/6bbc2254/attachment.sig>

More information about the ffmpeg-devel mailing list