[FFmpeg-devel] [RFC] dormant git accounts

Michael Niedermayer michael at niedermayer.cc
Mon Nov 11 18:42:37 EET 2024 

On Mon, Nov 11, 2024 at 10:02:27AM +0000, Derek Buitenhuis wrote:
> On 11/10/2024 2:59 PM, Michael Niedermayer wrote:
> > Its there since a long time:
> > https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt
> 
> [...]
> 
> > If something is missing, its not going to improve on its own.
> > Someone will have to say _what_ is missing and work toward filling it in.
> 
> Pretty hard to list infra you don't know exists.
> 
> For example, I only recently noticed ffmpeg.org goes through avcodec.org DNS:
> 
> ns1.avcodec.org - telepoint.bg
> ns2.avcodec.org - KIFU (Government Info Tech Development Agency)
> ns3.avcodec.org - CDLAN SpA
> 
> Who owns avcodec.org? Who runs these DNS servers? Who has access? Who has contacts?
> 
> It's a supply chain attack risk - you could hijack ffmpeg.org per IP or Geo.

Publically listing which developer provides which part of the DNS infra
makes it easier to attack not harder.
That said, i suspect who provides what was mentioned in the past already

If an attacker doesnt know who provides a server then the attacker can only
attack the server directly via its name and IP.
If an attacker knows who owns the server then he can perform a wide
range of additional attacks. For example
Impersonating that developer towards the server hoster, or if the attacker
can figure out the phone number of the developer then sim swaping becomes
possible. From that various other accounts can then be taken over and
Once an attacker is in control of phone and email of someone further
account compromises become increasingly easy.

I do not think we would be doing FFmpeg a service or improve security
by listing everyones names in a public file. Even if most of this
probably was said publically already, having it in one single place
makes it even easier for an attacker

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241111/26c4ae00/attachment.sig>

More information about the ffmpeg-devel mailing list