Re: new FFMpeg stuff

[Rémi Denis-Courmont <remi () remlab net>]

On Thu, 25 Jul 2013 03:01:33 -0600, Kurt Seifried <kseifried () redhat com>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/25/2013 02:52 AM, Jean-Baptiste Kempf wrote:
> > On 25 Jul, Kurt Seifried wrote :
> > > Can the VLC security team confirm/correct this as needed so we
> > > can ensure it's correct before I assign CVEs? thanks.
> >
> > Why the VLC security team should be involved in that?
>
> Because they want to help make sure the CVEs get correctly assigned?
>
> If you guys don't care about getting CVE's done properly well that's
> your choice I guess and I'll assign the CVEs as best I can. But I was
> hoping VLC upstream might help out.

It's not that we don't care about CVE IDs. But "upstream VLC" is upstream
VLC, i.e. the VLC code base. We just do not have the resources and
expertise to evaluate FFmpeg/libav security issues individually.

Besides, VLC can be linked dynamically with many different FFmpeg or libav
versions. So keeping track of their security issues within the context of
VLC is more or less impossible. That is up to the VLC binary packagers, not
to upstream developers.

-- 
Rémi Denis-Courmont
Sent from my collocated server