[FFmpeg-devel] [RFC] dormant git accounts

[Derek Buitenhuis]

On 11/11/2024 7:33 PM, Michael Niedermayer wrote:
>> This only convinces me further that it this whole setup ins't for for purpose,
>> and is being run by people who have no concept of actual security. This is
>> totally insane.

Honestly, this is so exhausting and painful, I dread responding. I know you cannot
be convinced, per previous mails.

Probably why most others stay silent on the list but complain in person, lest they
draw the insanity on themselves.

> So "publically listing every admins and server owner (where its not the company)
> name" is the normal and sane thing and not listing them publically is totally insane ?

Yes.

> Do i understand this correctly?

Doubtful.

> If so, then iam sure that every security related company lists these publically?
> Likewise the FBI, financial institutions, and so forth.

Strawman.

> These are organisations where security is very important, but none of them
> lists server owners and admins publically. And iam not even sure what they
> would do if you called them and asked, but they probably would ask you for
> your name, intend and at least internally report this without awnsering your
> question.

None of these things are community run open source projects, and your comparisons
are nuts. 

Even if you don't think they should be publically known (which I disagree with), the
should be known to the project itself outside of your Michael-approved cabal.

> But lets go back the original question
> 1. what exact information do you ask for ?

Complete list of infra, where it is hosted, who has what access (physical and remote/software).

This is what VideoLAN does. Yes, I know you are paranoid as hell about a "VideoLAN/j-b takeover",
which is... well, others can judge.

> 2. why ?

See previous endless mails and discussion.

> 3. what do you intend to do with this information ?

This info is pertinent for a lot of security and stabiltiy reasons.

For example, right now, one person (you) has the ability to cut release, modify
the website, sign the tarballs, etc. It's all you. I'm sure that's great in your
mind, as you deem yourself trustworthy. From our end, nothing stops it from being
xz part 2. There is no way to know the tarballs are un-tampered with, other than
trusting you.

I'm sure this makes perfect sense if you agree with the whole "michael, as person
nobody has ever met, and nobody agreed to give absolute power, is trustworthy
and infallable" thing, but I sure don't. It's a fiefdom that you rule.

> 4. The names of the developers providing the infra have been provided before, did you look through past discussion?

The list is not complete even back then, and it was not documented since.

> 5. Do you ask these questions to every project or just FFmpeg ?
>    (i have been told these questions only happen toward FFmpeg, can you
>    explain why ?)

Every serious and large open source project has this responsibiltiy. We're not
some rag tag show, we're a project used by every big company on Earth.

> Last years i tried to simply awnser all the questions, but that didnt make
> anyone happy. I must be missing something.

Answers aren't sufficient or complete, and you purposely avoid giving community
power over the ifnrastructure, domains, or trademark. It is solely at your discretion.

> I mean we can go through the whole again if people want but I really
> think most developers would prefer to work on the code and project instead.

Yes, I suppose your banking on the silence == complicity aspect of this.

- Derek