[FFmpeg-devel] core infrastructure badge for FFmpeg

Ganesh Ajjanagadde gajjanag at mit.edu
Wed Jul 6 15:26:39 EEST 2016

06.07.2016, 07:48, "Jean-Baptiste Kempf" <jb at videolan.org>:
> On 04 Jul, Ganesh Ajjanagadde wrote :
>>  https://bestpractices.coreinfrastructure.org/.
> Tbh, this is pure BS/PR, as we've seen for VLC. But why not...
> But, you could at least be a bit more truthful when filling it:
>  - the buildsystem is not common tools, since you have your own
>    configure (it's a SUGGESTED thing anyway)

As far as I know, shell script is a common tool available on POSIX platforms.

>  - the new functionnality testing is only done in libavcodec,

I did not assert to the contrary, but it is certainly an "informal" policy per the dev docs.
I did acknowledge the lack of tests in certain places such as libavfilter.

>  - half of the links given are over github, which is not FLOSS and is
>    just a mirror... And other on ffmpeg.org

So what? There is no requirement that the links must be posted on FLOSS sites,
whatever that means which you conveniently leave unspecified.

The purpose of the mirror here is just as a reference point, and can always be changed.
There is some lack of consistency in link usage, I am going to change it.

>  - you do not use SEMVER (it's a SUGGESTED improvement too)

I thought we did, since that is what I assumed the chicanery regarding major, minor, etc was all about.
Will amend.

>  - everything related to external users should be N/A and not "met",
>    (I doubt they mean trac here)

Please be more explicit here. What is wrong with trac as a link for a bug tracker?

>  - you allow /dev/random, as a silent fallback over urandom, I doubt
>    this is secure, or fullfills their requirement.

Be explicit, if you say it is insecure, give an example of a platform where it is,
and report to ffmpeg-security at ffmpeg.org.
If true, then yes, this must be removed.

>  - where is written the policy that coverity must be run on each release?

No policy, but Michael did say that "we do run coverity around the release time generally".
>From my experience over the last 6 months, Coverity was run at least once before each release.
If there was an instance where it was not, sure, I will remove it.

>  - the dynamic analysis is done by 3rd parties, it should be mentionned,
>    especially since it's just a SUGGESTED point.

Ok, will change.

> With my kindest regards,
> --
> Jean-Baptiste Kempf
> http://www.jbkempf.com/ - +33 672 704 734
> Sent from my Electronic Device
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

More information about the ffmpeg-devel mailing list