Hi At teh current videolan developer days there where several surprise votes on FFmpegs infractructure. And to the best of my knowledge no remote participation and no recording.
So let me try to reply to the idea of the general assembly choosing who has root access. We have seen a raise of increasingly sophisticated attacks in recent times. For example thx xz backdoor, where the maintainer was pressured by many people to add jia tan as maintainer who then eventually added a sophisticated hidden backdoor. Compromising xz and ssh. (Which almost was not even detected) We have seen batteries being exchanged by explosives by the mosad injuring members of a terrorist organization and probably a few innocent people. You may agree with fighting terror but do you agree with explosives, in maybe the phone someone of your familiy bought on ebay ? Just yesterday, lottie-player was replaced by a compromised version. Stealing peoples money. Our GA is build of everyone who has "authored more than 20 patches in the last 36 months in the main FFmpeg repository" This is a very low bar for an attacker. Even if we did KYC (which i think we should not) hiring 50 people to each write 20 patches is very doable even for a small company or heck even a single individual could do this. Let alone, a state actor. What this means, and i think this is obvious to everyone, is the GA cannot control critical infractructure access or things that allow attacks by state actors. Thats besides the root admins should generally be professional admins and not "popular politicans". Which is ultimately what a popular vote produces. Also the root team has to get along with each other and trust each other, obviously. And last, where is that professional admin who wants to do work and who has no root access ? I have to the best of my knowledge given every professional admin we have on the FFmpeg team, who needed root access, root access. Yes i would not give root access to people who are involved in every 2nd flamewar or who i totally do not get along. Or if the request comes in a strange context, ... But does the GA want to override that ? You think that would improve things ? Please lets not turn root access into a harris vs trump style democracy If theres a professional, trusted, admin and there work that needs to be done and (s)he has time, ability and will to do that work, nothing strange, and noone says they dont get along with him/her. I have and will give them root access. if thats not the case I dont think people would want me to give them root access. thx -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Complexity theory is the science of finding the exact solution to an approximation. Benchmarking OTOH is finding an approximation of the exact
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
