[FFmpeg-devel] [RFC] ffmpeg security

Michael Niedermayer michael at niedermayer.cc
Sat Feb 11 13:05:48 EET 2017


On Sat, Feb 11, 2017 at 11:57:31AM +0800, Steven Liu wrote:
> 2017-02-11 11:14 GMT+08:00 Michael Niedermayer <michael at niedermayer.cc>:
> 
> > On Fri, Feb 10, 2017 at 04:43:17PM -0300, James Almer wrote:
> > > On 2/10/2017 4:03 PM, Michael Niedermayer wrote:
> > > > Hi community
> > > >
> > > > what do you prefer about the ffmpeg-security alias ?
> > > > in no particular order
> > > >
> > > > Should everyone on the alias be listed in MAINTAINERs under a
> > > > ffmpeg-security point?
> > >
> > > I'd say yes. From a transparency PoV, people should know who will
> > > get access to such reports.
> > >
> > > >
> > > > Should for everyone who is on the alias a reason be listed in
> > > > MAINTAINERs why (s)he is on the alias ?
> > >
> > > IMO, there's no need for this. Read below.
> > >
> >
> > > >
> > > > Should everyone on the alias have a reason beyond curiousity to be
> > > > on the alias? (that is a reason that clearly benefits FFmpeg)
> > >
> > > Yes, it should be about intending to fix reports and/or review fixes
> > > made by others. Curiosity alone is not enough at all.
> >
> > ok
> >
> > We have 938 open bugs on trac
> > We have 84 open bugs on trac that contain the keyword "regression"
> > We have 55 open coverity issues
> > We have 475 patches on patchwork needing some action, either having
> > their status updated if its wrong or needing review/apply/reject
> >
> > someone wanting to review patches can do that
> > someone wanting to fix issues can do that
> >
> > We have no open security issues on the ffmpeg-security alias, we have
> > no patches that need a review, in fact i think we have had no patch
> > there this year yet. (not countig ones referenced from ffmpeg-devel)
> >
> > So one wanting to review patches or fix issues shouldnt really have
> > much desire on ffmpeg-security.
> >
> > We can add more people to it, but what does that fix?
> > Shouldnt we rather try to find someone to fix the regressions on trac
> > or go over the patches on patchwork ?
> >
> I saw "连一汉" sometime report some security issue and fixed by Michael.
> I think we need a ffmpeg-security to report security issue and review patch
> in it.
> And i can join to fix it :)

sounds like you have alot of time
did you see the 36 issues about hls on trac: ?
https://trac.ffmpeg.org/query?status=new&status=open&status=reopened&keywords=~hls&col=id&col=summary&col=status&col=type&col=priority&col=component&col=version&order=priority

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you fake or manipulate statistics in a paper in physics you will never
get a job again.
If you fake or manipulate statistics in a paper in medicin you will get
a job for life at the pharma industry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170211/d5826af8/attachment.sig>


More information about the ffmpeg-devel mailing list