[FFmpeg-devel] [RFC] dormant git accounts
James Almer
jamrial at gmail.com
Tue Nov 12 19:05:16 EET 2024
On 11/12/2024 1:58 PM, Derek Buitenhuis wrote:
> For example, right now, one person (you) has the ability to cut release, modify
> the website, sign the tarballs, etc. It's all you. I'm sure that's great in your
> mind, as you deem yourself trustworthy. From our end, nothing stops it from being
> xz part 2. There is no way to know the tarballs are un-tampered with, other than
> trusting you.
This is not true. I have write access to the website, for example, as do
others. And Michael cuts releases because he was given the task, not
because nobody else can or want. And nobody prevents anyone from just
fetching a git tag instead (Distros like Arch do, after all).
Also, the xz fiasco is precisely what prompted him to write a script to
compare the contents of tarballs with their respective git tags, and a
patch for the security page on the website. It's on the ML.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241112/cab06d23/attachment.sig>
More information about the ffmpeg-devel
mailing list