On 11/12/2024 1:58 PM, Derek Buitenhuis wrote:
For example, right now, one person (you) has the ability to cut release, modify the website, sign the tarballs, etc. It's all you. I'm sure that's great in your mind, as you deem yourself trustworthy. From our end, nothing stops it from being xz part 2. There is no way to know the tarballs are un-tampered with, other than trusting you.
This is not true. I have write access to the website, for example, as do others. And Michael cuts releases because he was given the task, not because nobody else can or want. And nobody prevents anyone from just fetching a git tag instead (Distros like Arch do, after all).
Also, the xz fiasco is precisely what prompted him to write a script to compare the contents of tarballs with their respective git tags, and a patch for the security page on the website. It's on the ML.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".