On Sat, Aug 16, 2014, at 20:59, Russ Allbery wrote:
> The problem, however, is that taking security seriously, while possibly
> necessary, is not sufficient.  I'm glad that FFmpeg takes security
> seriously, but what FFmpeg needs is to *have fewer security bugs*.

JFTR the Coverity Scan results for ffmpeg looks promising:
https://scan.coverity.com/projects/54

I am not saying that we should base our decisions on Coverity Scan[1]
results, but this is one more metric that could help to weight the
decision to one or other direction. (Also this is not an advice what
should ffmpeg do...)

>From the security viewpoint, I would be also interested if ffmpeg
has tests and what is current code coverage. That could help avoiding
regressions when doing security updates.

1. There are also other tools: llvm/clang scan_build, OCLint, cppcheck
(and other metrics like Cyclomatic complexity)

Cheers,
Ondrej

P.S.: libav doesn't seem to be using Coverity Scan actively:
https://scan.coverity.com/projects/106
(last scan was 4 months ago)
-- 
Ondřej Surý <ond...@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1408438231.1736622.154282345.60f00...@webmail.messagingengine.com

Reply via email to