[FFmpeg-devel] FFmpeg 8.0 Release

[Nicolas George]

Michael Niedermayer (HE12025-07-23):
> the fix for this is to check crt.sh
> 
> example: https://crt.sh/?q=ffmpeg.org
> 
> and if there are or where correct certificates, reject the self signed one
> otherwise allow self signed by default with a warning

“502 Bad Gateway” I doubt it can be a fix for anything.

Anyway, that cannot be a fix:
- the site could get compromised;
- our users might not trust them;
- the site could be down;
- internet access might not be available;
- the extra latency might be unacceptable;
- …

And it is our users' absolute right to access sites with self-signed or
invalid certificate, starting with sites they operate themselves in test
environments, without the say-so of any other site.

Can somebody confirm there is an option to disable certificate checks
(or at least turns them into a warning) that can be set by the caller
for every protocol that ends in TLS? If not, that feature is not ready
to be enabled by default.

Also, I would prefer if there were at least one release cycle where the
checks are done but not fatal, to let users adapt in their own time.

Regards,

-- 
  Nicolas George