[FFmpeg-devel] [REQUEST] ffmpeg-security subscription

Fri Aug 16 04:38:53 EEST 2019

On 15.08.2019, at 19:38, Paul B Mahol <onemda at gmail.com> wrote:

> On Thu, Aug 15, 2019 at 7:20 PM Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> wrote:
> 
>> On 15.08.2019, at 13:15, Vittorio Giovara <vittorio.giovara at gmail.com>
>> wrote:
>>> I think being on the security list may have some professional
>> implications
>>> too: if you use ffmpeg in your $dayjob, being notified of security
>> problem
>>> in ffmpeg, and acting upon it before the fix lands in the tree, may be
>>> crucial. I think Paul is lamenting the fact that being selected for the
>>> security list is extremely arbitrary and there is no process described on
>>> how to joining it.
>> 
>> Sorry, but just any $dayjob I really don't see relevant at all.
>> If there is a huge user of AND major contributor to FFmpeg with vastly
>> higher risk of attack that is hard to mitigate in any other way they might
>> have an argument. I.e. if there is a NEED because it is the only way to
>> protect a significant user/number of users.
>> But it still most likely is a misuse. The security list is about receiving
>> reports and responding to it from our side.
>> Using it to forewarn users would either mean letting a large number of
>> people on it (I hope we agree that is obviously stupid) or disadvantaging >
>> 99% of our users.
>> If someone has concerns in this area and I'm sure there's ways for them to
>> contribute.
>> I still don't see it would need access to the security list though, but it
>> might lead to being invited.
>> 
>> Of course this is just my opinion and I am happy to learn:
>> are there other projects describing such a process?
>> For the Linux kernel I only know about such a thing for the list that is
>> for communicating and aligning with distributions.
>> Something comparable does not currently exist for FFmpeg.
>> 
> 
> So you, as developer are higher valued and more useful than other
> developers?

I have no idea where you get that from anything I said, do you think the bus driver is higher valued and more useful than anyone else on the bus because they don't let just anyone who wants drive it?