[FFmpeg-devel] [RFC] dormant git accounts
Rémi Denis-Courmont
remi at remlab.net
Mon Nov 11 18:52:05 EET 2024
Le 11 novembre 2024 18:42:37 GMT+02:00, Michael Niedermayer <michael at niedermayer.cc> a écrit :
>On Mon, Nov 11, 2024 at 10:02:27AM +0000, Derek Buitenhuis wrote:
>> On 11/10/2024 2:59 PM, Michael Niedermayer wrote:
>> > Its there since a long time:
>> > https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt
>>
>> [...]
>>
>> > If something is missing, its not going to improve on its own.
>> > Someone will have to say _what_ is missing and work toward filling it in.
>>
>> Pretty hard to list infra you don't know exists.
>>
>> For example, I only recently noticed ffmpeg.org goes through avcodec.org DNS:
>>
>> ns1.avcodec.org - telepoint.bg
>> ns2.avcodec.org - KIFU (Government Info Tech Development Agency)
>> ns3.avcodec.org - CDLAN SpA
>>
>> Who owns avcodec.org? Who runs these DNS servers? Who has access? Who has contacts?
>>
>> It's a supply chain attack risk - you could hijack ffmpeg.org per IP or Geo.
>
>Publically listing which developer provides which part of the DNS infra
>makes it easier to attack not harder.
That's pretty pathetic excuse, TBH. All it does is make it harder to find whom to contact about whatever issue, and whose stale credentials to purge from what service.
It also removes accountability, which is pretty much never a good thing overall.
And lastly, if the security of a piece of infrastructure is contingent on not knowing who has access to it, then that's a major problem of its own anyway.
More information about the ffmpeg-devel
mailing list