Hi On Sun, Jun 04, 2017 at 12:46:18PM +0200, Nicolas George wrote: > Le quartidi 14 prairial, an CCXXV, Michael Niedermayer a écrit : > > > Notice a pattern? > > yes > > Security issues are found, i post a fix and people complain, > > No. The pattern is: you rush to produce a bad fix.
thats "ad hominem" If theres an issue in a change, the center of the discussion should be the issue so it can be improved. looking at what you wrote, iam not even sure if you talk about whitelists, some patch here or something totally different that you call bad. Its just obvious at who you point not what you talk about or what you see bad in it. and that person (being me) is heavily constrained by the wishes of the rest of the team. also security issues need to be fixed quickly, the quick fix to stop an issue and the solution we work toward in the long term can be very different and a quick fix in the most general sense is likely quite shit compared to a long term solution. Still we own our users fixing sec issues quickly, its us who wrote the vulnerable mess in the first place. We should not let them wait until we design and implement the perfect long term solution. > > > If you knew a year and a half ago about a security issue and about a > > great solution to it. > > How far is it from completion ? > > does this cover the hls vulnerability we discussed in > > the last 2 days and Can you post a patch ? > > I said that WE needed to look for a solution. We, collective. > > I, individual, do not have a solution, I only know that one exists > (Perl, Windows, web browsers all have a similar mechanism) and that > "fixing" the individual issues rather than designing a global solution > is a waste of time. Iam happy to help and work together with you to design and implement this. Iam not sure what you have in mind though exactly and iam not sure if its able to fix this. Can you please explain what you have in mind ? > > > But the real question still is, how do people prefer us to deal with > > this security issue here? > > This one ? Ignore it but take the opportunity to start designingⁿ: a > proper solution would fix it anyway. > > If you do anything else, I will not object to you pushing, but only if > you add "--author=Sysiphus" to your git commit command. You dont need to convince me that the extension check or changes within just hls are not a complete solution. Iam quite well aware of this. This is intended to stop an existing exploit and variants of it in practice and do so quickly. A complete solution will also likely add some inconvenience that some developers object to. I feel that the security outweighs the inconvenience but others object to it. Its not the first issue with hls and it likely wont be the last, I think --author=Sysiphus is quite fitting in fact. Also its really a change guided by peoples objections ... Thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB "I am not trying to be anyone's saviour, I'm trying to think about the future and not be sad" - Elon Musk
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel