On Sat, Aug 16, 2014, at 20:59, Russ Allbery wrote: > The problem, however, is that taking security seriously, while possibly > necessary, is not sufficient. I'm glad that FFmpeg takes security > seriously, but what FFmpeg needs is to *have fewer security bugs*.
JFTR the Coverity Scan results for ffmpeg looks promising: https://scan.coverity.com/projects/54 I am not saying that we should base our decisions on Coverity Scan[1] results, but this is one more metric that could help to weight the decision to one or other direction. (Also this is not an advice what should ffmpeg do...) >From the security viewpoint, I would be also interested if ffmpeg has tests and what is current code coverage. That could help avoiding regressions when doing security updates. 1. There are also other tools: llvm/clang scan_build, OCLint, cppcheck (and other metrics like Cyclomatic complexity) Cheers, Ondrej P.S.: libav doesn't seem to be using Coverity Scan actively: https://scan.coverity.com/projects/106 (last scan was 4 months ago) -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1408438231.1736622.154282345.60f00...@webmail.messagingengine.com