On 02/10/2024 11:06, Kumar, Rahul via ffmpeg-devel wrote:
Thank you for the prompt response.

The primary reason for removing Blowfish from our codebase is to comply with 
modern security guidelines and industry standards that discourage the use of 
outdated cryptographic algorithms, like Blowfish, due to their vulnerabilities.

Given that av_blowfish* is part of the public ABI/API of libavutil, I 
understand the potential issues with breaking compatibility. As for rtmpcrypt, 
I appreciate the information regarding its dependence on Blowfish.

I have a couple of questions and suggestions that I would like to discuss 
further:

Would it be feasible to introduce a compile-time configuration option that 
makes Blowfish support optional within FFmpeg? This would allow projects with 
stricter security requirements to exclude Blowfish while preserving backward 
compatibility for others.

Alternatively, would the FFmpeg community be open to discussing replacing 
Blowfish with a more secure, modern algorithm as part of a future release plan?

Any thoughts or recommendations would be greatly appreciated.

Thanks again for your guidance.

Thanks,
Rahul Kumar

-----Original Message-----
From: Michael Niedermayer <mich...@niedermayer.cc>
Sent: Wednesday, October 2, 2024 3:23 AM
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Kumar, Rahul <rahul.kum...@honeywell.com>
Subject: [External] Re: [FFmpeg-devel] Question Regarding Removal of Blowfish 
from libavutil in FFmpeg

WARNING: This message has originated from an External Source. This may be a 
phishing email that can result in unauthorized access to Honeywell systems. 
Please use proper judgment and caution when opening attachments, clicking 
links, scanning QR codes, or responding.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

rtmpcrypt uses blowfish. If you don't want the blowfish code to be used in the final build, just don't build rtmpcrypt. LTO will strip the code off anyway.
We can't remove it. It's part of the rtmpcrypt spec.

Attachment: OpenPGP_0xA2FEA5F03F034464.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to