Re: [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
On 4/23/2024 10:46 PM, Michael Niedermayer wrote: > Can you elaborate what the problem is ? > I would have thought https://git.ffmpeg.org/rtmpdump.git > is secure I have to assume he means SHA-256, and not SHA-512. git apparently supports using SHA-256 instead of SHA-1 hashes, but support does not seem to be very mainstream. I am not even sure GitHub supports it (https://github.com/orgs/community/discussions/12490 seems to indicate not yet). So either this is vcpkg trying to be vey aggressive in requiring git features, or there is some clarification neeed. - Derek ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
Hi On Tue, Apr 23, 2024 at 07:04:08PM +, Javier Matos Denizac via ffmpeg-devel wrote: > Dear FFmpeg team, > > > My name is Javier Matos, and I am part of the vcpkg team at Microsoft. vcpkg > is an open-source package manager designed to help developers manage C++ > libraries across platforms in a consistent manner. > > I am reaching out to inquire if FFmpeg could host an official GitHub mirror > for the `rtmpdump` repository on `github.com/FFmpeg`. > > Currently, vcpkg uses a mirrored version from `github.com/mirror/rtmpdump`, > which is not maintained by the original authors, posing a significant supply > chain risk due to potential unauthorized modifications. > > Alternatively, while we could switch to using the repository at > `git://git.ffmpeg.org/rtmpdump.git`, this source lacks support for SHA512 > checksums, complicating asset caching and security verification crucial for > ensuring the integrity of the code during downloads. Can you elaborate what the problem is ? I would have thought https://git.ffmpeg.org/rtmpdump.git is secure thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB In a rich man's house there is no place to spit but his face. -- Diogenes of Sinope signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
Dear FFmpeg team, My name is Javier Matos, and I am part of the vcpkg team at Microsoft. vcpkg is an open-source package manager designed to help developers manage C++ libraries across platforms in a consistent manner. I am reaching out to inquire if FFmpeg could host an official GitHub mirror for the `rtmpdump` repository on `github.com/FFmpeg`. Currently, vcpkg uses a mirrored version from `github.com/mirror/rtmpdump`, which is not maintained by the original authors, posing a significant supply chain risk due to potential unauthorized modifications. Alternatively, while we could switch to using the repository at `git://git.ffmpeg.org/rtmpdump.git`, this source lacks support for SHA512 checksums, complicating asset caching and security verification crucial for ensuring the integrity of the code during downloads. An official GitHub mirror hosted by FFmpeg would address these issues by providing a secure, verifiable source that we can integrate with vcpkg. Thank you for considering this request. I look forward to your feedback. Best regards, Javier Matos ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
