On Thu, Feb 09, 2017 at 09:07:39AM -0500, Compn wrote: > On Thu, 09 Feb 2017 13:24:53 +0000, Kieran Kunhya <kier...@obe.tv> > wrote: > > > > > > > I dont think we should give access to ffmpeg-security to everyone who > > > wants to be on the list. This is of course something the community > > > has to decide and not me, iam just err-ing on the safe side and am very > > > restrictive on who is added. > > > > > > > This is a bogus argument considering how many people have commit access and > > can commit whatever. > > honestly with the fearmongering? are you saying the russian ffmpeg > developers can just commit whatever they want whenever they want?! also > there are some chinese ffmpeg developers! even the president says china > cant be trusted! the russians hacked the election and now they will put > backdoors in ffmpeg!?!?! > > (this email is satire btw... i do not believe russia affected the us > election, nor brexit. and china is cool with me.) >
> if kierank and wm4 want on the -security list, please put them on the > security list. > i doubt anyone will vote against their inclusion on the > list. maybe, but does anyone really think thats how ffmpeg-security should be run ? I think FFmpeg has a very good security history, theres a "name" to loose here. My oppinion is that there should be a rule whatever that rule is, and the community should decide this rule. If the community wants only people who need access for their work in FFmpeg to have access to ffmpeg-security then thats the rule. If the community wants every FFmpeg maintainer who wants to be on the alias to be added, then thats the rule. We can do more or less or between these 2 but theres a relation between what we do and how professional this is. For example giving everyone access to security would likely be seen with some distrust by companies and security researchers. And the proportion of security mails being sent to ffmpeg-security might drop as a result of that. I mean if you were a company who has customers and has a warranty/ obligation toward them, would you post details about security issues to a semi public list ? Which if leaked before its fixed could cause massive damage to your customers and indirectly to your company? Also our users depend on security stuff staying private until issues are fixed ... All this is why iam for a very restrictive policy on who can access the ffmpeg-security stuff. -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB When you are offended at any man's fault, turn to yourself and study your own failings. Then you will forget your anger. -- Epictetus
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
