[FFmpeg-devel] [REQUEST] ffmpeg-security subscription

[Michael Niedermayer]

Hi Paul

On Mon, Aug 05, 2019 at 11:50:04AM +0200, Paul B Mahol wrote:
> Hi,
> 
> I here hereby request from lead FFmpeg entity to give me subscription to
> ffmpeg-security mailing list.

I am not sure who or what a "lead FFmpeg entity" is, But as iam being highlighted 
on IRC by you in relation to this, and as iam the most active developer on 
security issues in ffmpeg it would be inpolite from me if i didnt say something.

About ffmpeg-security,
Theres currently no need for more manpower to handle security issues. We have
a backlog of a few days of fuzzing issues only which is shrinking. And no other
issues besides fuzzing issues. (part of the backlog probably was the result 
of distractions and some longer review cycles on some patches recently)
Also all patches are being posted in public so no access is needed for reviews.

I think many of the complaints from people about some of the patches should be
resolved by the recent addition of thresholds on all pixels decoded. That way
slow video decoders can have their timeout thresholds effectively tuned and
would no longer require ugly changes which several people did not like.
That wont eliminate all uglyness but it should reduce it.

PS: also keep in mind that we recently increased coverage of the fuzzers
this created a spike of new issues, so besides more such spikes from more
coverage increases the amount of new issues is expected to decrease over
time

Thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Why not whip the teacher when the pupil misbehaves? -- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190812/0b6bfcf7/attachment.sig>