On Thu, Aug 18, 2022 at 07:19:07PM +0200, Jean-Baptiste Kempf wrote:
> On Wed, 17 Aug 2022, at 19:21, Michael Niedermayer wrote:
> > a unwise choice. But if someone is against very basic xml or json parsers
> > please speak up now and here because its still better to say "no" now than
> > after nicolas did the work.
> 
> Absolutely against this idea.
> 
> Both JSON and XML are very very very difficult to parse in a secure manner.
> 
> Doing a simple XML parser and a simple JSON parser might be simple tasks for any decent programmer, doing those parsers is extremely difficult because there are a lot of complex corners cases, even if you take a subset of XML. Unicode, encoding, entities decoding, binary data, languages are not something you can skip, even if you take a subset of XML.
> 
> Once you add document validation and DTD, namespaces, recursive XML or XPath/XQuery this makes it a project as big as the whole FFmpeg, and that's why libxml2 is so big.
> If you just want DASH and TTML (and maybe fontconfig), you still have to do a large set of features.
> 
> And then you need to care about security. It's a difficult problem to fix, and seeing the track record of the security of open source multimedia projects, we should focus on our issues, not adding new ones.
> 
> 
> If you believe that you can do a better job than thousands of people paid large amounts of money who spent decades on this problem, then, please do a separate project, host it on git.ffmpeg.org, git.videolan.org or github, and give us a fast streaming API. Please be sure that you validate most test-suites and cornercases too. And fuzz it.
> 
> Managing to do that would be an impact probably much bigger than FFmpeg, so don't hesitate. And then FFmpeg will be able to use it, and other projects too.
> 
> But for me, until this is ready and battle-tested, it's a hard no..

ok
but just to clarify what i meant / was thinking of was a simple
key / value style parser no features beyond that. just enough so we can
use it to read our own generated xml from some object serialization.

thx


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."