On Thu, Aug 15, 2019 at 7:20 PM Reimar Döffinger <reimar.doeffin...@gmx.de> wrote:
> On 15.08.2019, at 13:15, Vittorio Giovara <vittorio.giov...@gmail.com> > wrote: > > I think being on the security list may have some professional > implications > > too: if you use ffmpeg in your $dayjob, being notified of security > problem > > in ffmpeg, and acting upon it before the fix lands in the tree, may be > > crucial. I think Paul is lamenting the fact that being selected for the > > security list is extremely arbitrary and there is no process described on > > how to joining it. > > Sorry, but just any $dayjob I really don't see relevant at all. > If there is a huge user of AND major contributor to FFmpeg with vastly > higher risk of attack that is hard to mitigate in any other way they might > have an argument. I.e. if there is a NEED because it is the only way to > protect a significant user/number of users. > But it still most likely is a misuse. The security list is about receiving > reports and responding to it from our side. > Using it to forewarn users would either mean letting a large number of > people on it (I hope we agree that is obviously stupid) or disadvantaging > > 99% of our users. > If someone has concerns in this area and I'm sure there's ways for them to > contribute. > I still don't see it would need access to the security list though, but it > might lead to being invited. > > Of course this is just my opinion and I am happy to learn: > are there other projects describing such a process? > For the Linux kernel I only know about such a thing for the list that is > for communicating and aligning with distributions. > Something comparable does not currently exist for FFmpeg. > So you, as developer are higher valued and more useful than other developers? This is discrimination. > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".