[FFmpeg-devel] [PATCH 3/4] doc/faq: Document the plan ahead for Governance
Michael Niedermayer
michael at niedermayer.cc
Mon Jan 13 19:29:45 EET 2025
Hi Ronald
On Sat, Jan 11, 2025 at 07:53:46AM -0500, Ronald S. Bultje wrote:
> Hi Michael,
>
> On Fri, Jan 10, 2025 at 9:01 PM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
>
> > But i think a company which actually depends on a FFmpeg vote outcome
> >
> > will be able to connect the dots and be able to enumerate the options
> > to influcence said vote
> >
> > * do they have an employee with vote rights, iam sure she will not
> > vote in a way that ends her own job
> >
> > * how did she get these vote rights ? ahh she submitted 20 patches ...
> >
> > * are there other employees who could submit 20 patches ?
> >
> > * are there contractors who could submit 20 patches ?
> >
> > * can they hire someone who could submit 20 patches ?
> >
>
> This is true, but...
>
> Should we then document the xz exploit workflow on our website also?
The xz exploit situation is documented publically straight on wikipedia
and in more details in the references one can follow from there
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
Its also tracked with CVE-2024-3094
we basically have nothing to do with xz so we have no reason to document that
> And
> this can go on forever.
>
> This is negative documentation that does not belong on our website. We
The xz backdoor is documented on the website of xz here:
https://tukaani.org/xz-backdoor/
The FFmpeg "community" reaction to the governance issues was, lets say
not professional.
(and community is under quotes because its 2-4 people of thousands, not the
community at all, but these 2-4 people think and behave as if they represent
the community)
What should have been done, and i hope it still will. Is that the issueS
need to be discussed, solutions need to be discussed and they need to be
implemented.
Then this needs to be documented properly, not covering half the story up.
Why is this important? Because other open source projects may face related
issues. And the "lessons" we might end up learning in this may help others.
This is not just a technical issue of what governance system is best its
also a human issue, how to make everyone happy with the choice
> should document the positive aspects of our software and community, and try
> to fix the negative ones, rather than document the negative aspects and
> forget what's positive about ourselves.
yes, thats true
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
"I am not trying to be anyone's saviour, I'm trying to think about the
future and not be sad" - Elon Musk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250113/241a4baa/attachment.sig>
More information about the ffmpeg-devel
mailing list