Hi Ronald On Sat, Jan 11, 2025 at 07:53:46AM -0500, Ronald S. Bultje wrote: > Hi Michael, > > On Fri, Jan 10, 2025 at 9:01 PM Michael Niedermayer <mich...@niedermayer.cc> > wrote: > > > But i think a company which actually depends on a FFmpeg vote outcome > > > > will be able to connect the dots and be able to enumerate the options > > to influcence said vote > > > > * do they have an employee with vote rights, iam sure she will not > > vote in a way that ends her own job > > > > * how did she get these vote rights ? ahh she submitted 20 patches ... > > > > * are there other employees who could submit 20 patches ? > > > > * are there contractors who could submit 20 patches ? > > > > * can they hire someone who could submit 20 patches ? > > > > This is true, but... > > Should we then document the xz exploit workflow on our website also?
The xz exploit situation is documented publically straight on wikipedia and in more details in the references one can follow from there https://en.wikipedia.org/wiki/XZ_Utils_backdoor Its also tracked with CVE-2024-3094 we basically have nothing to do with xz so we have no reason to document that > And > this can go on forever. > > This is negative documentation that does not belong on our website. We The xz backdoor is documented on the website of xz here: https://tukaani.org/xz-backdoor/ The FFmpeg "community" reaction to the governance issues was, lets say not professional. (and community is under quotes because its 2-4 people of thousands, not the community at all, but these 2-4 people think and behave as if they represent the community) What should have been done, and i hope it still will. Is that the issueS need to be discussed, solutions need to be discussed and they need to be implemented. Then this needs to be documented properly, not covering half the story up. Why is this important? Because other open source projects may face related issues. And the "lessons" we might end up learning in this may help others. This is not just a technical issue of what governance system is best its also a human issue, how to make everyone happy with the choice > should document the positive aspects of our software and community, and try > to fix the negative ones, rather than document the negative aspects and > forget what's positive about ourselves. yes, thats true thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB "I am not trying to be anyone's saviour, I'm trying to think about the future and not be sad" - Elon Musk
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
