On Wed, Aug 14, 2019 at 10:11 PM Reimar Döffinger <reimar.doeffin...@gmx.de> wrote:
> On 14.08.2019, at 11:45, Paul B Mahol <one...@gmail.com> wrote: > > I strongly disagree with you. Why some people have subscription to > security > > mailing list and I'm not allowed also? > > Long version, explaining to the best of my knowledge and memory: > The people on it are on it because at some point it was considered > necessary to have them on it. > You have not brought an argument why the project would need you to be on > it in order to deal with issues in a satisfactory way. > Generally only basic technical skills are needed, enough to discuss the > issue and potentially hand over to the maintainer. And whoever is involved > in the releases is generally needed. > Beyond that I would describe it as a PR function (giving a polite and > level headed response to a security researcher claiming something that is > obvious nonsense to an FFmpeg developer tends to make things go much > smoother), which I would have assumed to not be among your aspirations. > It's definitely not about a "right" or a "priviledge" or having "earned" > it, it's about need. > And when possible a bit of trust (the personal kind, not just the "not > malicious" kind which is of course an absolute requirement), though that > might be more relevant for projects like Linux where really bad stuff > causing stress and possibly conflicts tends to hit. Flame wars is the last > thing one needs in the middle of dealing with a bad issue. > > TL;DR is probably: one doesn't end up on security lists by asking to be on > it but by persons Y and Z saying "we should/need to have person X on the > list". > I am not aware of any such wishes (though admittedly I wouldn't be the one > contacted about it I guess). > I think being on the security list may have some professional implications too: if you use ffmpeg in your $dayjob, being notified of security problem in ffmpeg, and acting upon it before the fix lands in the tree, may be crucial. I think Paul is lamenting the fact that being selected for the security list is extremely arbitrary and there is no process described on how to joining it. -- Vittorio _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
