Date: Thu, 25 Jul 2013 11:08:45 +0200 From: Rémi Denis-Courmont <remi@...lab.net> To: <kseifried@...hat.com> Cc: Jean-Baptiste Kempf <jb@...eolan.org>, <oss-security@...ts.openwall.com>, Michael Niedermayer <michaelni@....at>, Moritz Muehlenhoff <jmm@...til.org>, Moritz Muehlenhoff <jmm@...ian.org>, <ffmpeg-security@...peg.org>, <security@...eolan.org> Subject: Re: new FFMpeg stuff On Thu, 25 Jul 2013 03:01:33 -0600, Kurt Seifried <kseifried@...hat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/25/2013 02:52 AM, Jean-Baptiste Kempf wrote: >> On 25 Jul, Kurt Seifried wrote : >>> Can the VLC security team confirm/correct this as needed so we >>> can ensure it's correct before I assign CVEs? thanks. >> >> Why the VLC security team should be involved in that? > > Because they want to help make sure the CVEs get correctly assigned? > > If you guys don't care about getting CVE's done properly well that's > your choice I guess and I'll assign the CVEs as best I can. But I was > hoping VLC upstream might help out. It's not that we don't care about CVE IDs. But "upstream VLC" is upstream VLC, i.e. the VLC code base. We just do not have the resources and expertise to evaluate FFmpeg/libav security issues individually. Besides, VLC can be linked dynamically with many different FFmpeg or libav versions. So keeping track of their security issues within the context of VLC is more or less impossible. That is up to the VLC binary packagers, not to upstream developers. -- Rémi Denis-Courmont Sent from my collocated server
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.