[FFmpeg-devel] [rfc] ffmpeg security issue mailing list
James Almer
jamrial at gmail.com
Thu Feb 9 17:02:17 EET 2017
On 2/9/2017 10:24 AM, Kieran Kunhya wrote:
>>
>> I dont think we should give access to ffmpeg-security to everyone who
>> wants to be on the list. This is of course something the community
>> has to decide and not me, iam just err-ing on the safe side and am very
>> restrictive on who is added.
>>
>
> This is a bogus argument considering how many people have commit access and
> can commit whatever.
>
> Kieran
There's a big difference between git commit access, where bad or rogue
commits can be easily undone, and access to the security email address,
where 0 day exploits and full steps to reproduce may be available.
You and wm4 should IMO be ok to be in it, but we really need to set
some limits and requirements and not offer access like candy as we have
been doing with git, otherwise the joke about running ffmpeg behind
three layers of sandboxing will become an actually tempting idea to
anyone wanting to use it from now on.
More information about the ffmpeg-devel
mailing list