On Fri, Aug 16, 2019 at 3:39 AM Reimar Döffinger <[email protected]> wrote:
> > > On 15.08.2019, at 19:38, Paul B Mahol <[email protected]> wrote: > > > On Thu, Aug 15, 2019 at 7:20 PM Reimar Döffinger < > [email protected]> > > wrote: > > > >> On 15.08.2019, at 13:15, Vittorio Giovara <[email protected]> > >> wrote: > >>> I think being on the security list may have some professional > >> implications > >>> too: if you use ffmpeg in your $dayjob, being notified of security > >> problem > >>> in ffmpeg, and acting upon it before the fix lands in the tree, may be > >>> crucial. I think Paul is lamenting the fact that being selected for the > >>> security list is extremely arbitrary and there is no process described > on > >>> how to joining it. > >> > >> Sorry, but just any $dayjob I really don't see relevant at all. > >> If there is a huge user of AND major contributor to FFmpeg with vastly > >> higher risk of attack that is hard to mitigate in any other way they > might > >> have an argument. I.e. if there is a NEED because it is the only way to > >> protect a significant user/number of users. > >> But it still most likely is a misuse. The security list is about > receiving > >> reports and responding to it from our side. > >> Using it to forewarn users would either mean letting a large number of > >> people on it (I hope we agree that is obviously stupid) or > disadvantaging > > >> 99% of our users. > >> If someone has concerns in this area and I'm sure there's ways for them > to > >> contribute. > >> I still don't see it would need access to the security list though, but > it > >> might lead to being invited. > >> > >> Of course this is just my opinion and I am happy to learn: > >> are there other projects describing such a process? > >> For the Linux kernel I only know about such a thing for the list that is > >> for communicating and aligning with distributions. > >> Something comparable does not currently exist for FFmpeg. > >> > > > > So you, as developer are higher valued and more useful than other > > developers? > > I have no idea where you get that from anything I said, do you think the > bus driver is higher valued and more useful than anyone else on the bus > because they don't let just anyone who wants drive it? > Thank you for confirming that you are discriminatory against other developers. > _______________________________________________ > ffmpeg-devel mailing list > [email protected] > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > [email protected] with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
