[FFmpeg-devel] core infrastructure badge for FFmpeg
Michael Niedermayer
michael at niedermayer.cc
Wed Jul 6 12:36:48 EEST 2016
On Wed, Jul 06, 2016 at 08:02:55AM +0000, Carl Eugen Hoyos wrote:
> Ganesh Ajjanagadde <gajjanag <at> mit.edu> writes:
>
> > > No question, it would be better if tests would be added quicker ...
> >
> > I do not doubt this, but at the moment we do not enforce it.
> > Do you see any trouble in enforcing this requirement from
> > major release to next major release?
>
> I am against adding such a "hard" requirement.
> I believe we have filters that are impossible / very
> difficult to test.
>
> [...]
>
> > >> 17. There MUST be no unpatched vulnerabilities of
> > >> medium or high severity that have been publicly
> > >> known for more than 60 days.
> > >> Do we guarantee this?
>
> (What is "medium or high severity"? I only remember now
> that concat protocol was "low" and that we fixed it after
> a few days.)
>
> I am sorry if I completely misunderstand this sentence
> but I am 100% sure we do not guarantee that we fix future
> vulnerabilities within a given time.
> (on the contrary, see our license)
>
> Additionally, I suspect there is no open source project
> that can guarantee this.
>
> In case I do understand the above sentence correctly, I
> believe we should not try to apply (read "phony").
btw, theres also a example if some questions feel ambigous:
https://bestpractices.coreinfrastructure.org/projects/1
for "There MUST be no unpatched vulnerabilities of medium or high severity that have been publicly known for more than 60 days. [vulnerabilities_fixed_60_days]"
The example lists
"No such vulnerabilities at this time." as a passing comment
thus i do not think this point is about any gurantees or future
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160706/8a71e775/attachment.sig>
More information about the ffmpeg-devel
mailing list