[FFmpeg-devel] FFmpeg 8.0 Release

[FFmpeg-devel] FFmpeg 8.0 Release

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 874 bytes --]

Hi everyone

I intend to create the release/8.0 branch in the next 1-2 weeks
after that i intend to make teh 8.0 release in the following 1-2 weeks

If theres something you want in it make sure its pushed before the branch
is made.

And if theres a bugfix that you want included make sure it either hits
master before the branch point or cherry pick it into release/8.0
before the release

Also name ideas as always are welcome, will choose teh one with most
votes. If theres a tie, i plan to vote last so i can break ties

thx

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Timo Rothenpieler]

On 23/07/2025 13:43, Michael Niedermayer wrote:
> Hi everyone
> 
> I intend to create the release/8.0 branch in the next 1-2 weeks
> after that i intend to make teh 8.0 release in the following 1-2 weeks
> 
> If theres something you want in it make sure its pushed before the branch
> is made.

Would it be sensible to enable tls verify by default with 8.0?
Or would that have to go through a longer "deprecation" period?

We've just added proper verification support to openssl, schannel and 
other backends already had it.
It's just default-disabled for some reason.
IMO it'd make sense to turn it on by default, it has surprised me and 
other people in the past that FFmpeg does not verify TLS certificates in 
any way by default.

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Niklas Haas]

On Wed, 23 Jul 2025 13:43:43 +0200 Michael Niedermayer <michael@niedermayer.cc> wrote:
> Hi everyone
>
> I intend to create the release/8.0 branch in the next 1-2 weeks
> after that i intend to make teh 8.0 release in the following 1-2 weeks
>
> If theres something you want in it make sure its pushed before the branch
> is made.
>
> And if theres a bugfix that you want included make sure it either hits
> master before the branch point or cherry pick it into release/8.0
> before the release
>
> Also name ideas as always are welcome, will choose teh one with most
> votes. If theres a tie, i plan to vote last so i can break ties

When can we formally remove YUV pixel formats?

As far as I'm aware, nothing is blocking this, we just need to break the
ABI for it. When is the best time to do that?

>
> thx
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The real ebay dictionary, page 1
> "Used only once"    - "Some unspecified defect prevented a second use"
> "In good condition" - "Can be repaird by experienced expert"
> "As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Niklas Haas]

On Wed, 23 Jul 2025 16:01:14 +0200 Niklas Haas <ffmpeg@haasn.xyz> wrote:
> On Wed, 23 Jul 2025 13:43:43 +0200 Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Hi everyone
> >
> > I intend to create the release/8.0 branch in the next 1-2 weeks
> > after that i intend to make teh 8.0 release in the following 1-2 weeks
> >
> > If theres something you want in it make sure its pushed before the branch
> > is made.
> >
> > And if theres a bugfix that you want included make sure it either hits
> > master before the branch point or cherry pick it into release/8.0
> > before the release
> >
> > Also name ideas as always are welcome, will choose teh one with most
> > votes. If theres a tie, i plan to vote last so i can break ties
>
> When can we formally remove YUV pixel formats?

I of course meant to write YUVJ, although formally removing YUV would make our
lives easier too.

>
> As far as I'm aware, nothing is blocking this, we just need to break the
> ABI for it. When is the best time to do that?
>
> >
> > thx
> >
> > --
> > Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> >
> > The real ebay dictionary, page 1
> > "Used only once"    - "Some unspecified defect prevented a second use"
> > "In good condition" - "Can be repaird by experienced expert"
> > "As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1127 bytes --]

On Wed, Jul 23, 2025 at 03:45:28PM +0200, Timo Rothenpieler wrote:
> On 23/07/2025 13:43, Michael Niedermayer wrote:
> > Hi everyone
> > 
> > I intend to create the release/8.0 branch in the next 1-2 weeks
> > after that i intend to make teh 8.0 release in the following 1-2 weeks
> > 
> > If theres something you want in it make sure its pushed before the branch
> > is made.
> 
> Would it be sensible to enable tls verify by default with 8.0?
> Or would that have to go through a longer "deprecation" period?
> 
> We've just added proper verification support to openssl, schannel and other
> backends already had it.
> It's just default-disabled for some reason.
> IMO it'd make sense to turn it on by default, it has surprised me and other
> people in the past that FFmpeg does not verify TLS certificates in any way
> by default.

Is there some disadvantage ?

if not i would suggest to enable it

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

What is kyc? Its a tool that makes you give out your real ID, while criminals
give out a forged ID card.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Dimitry Andric]

On 23 Jul 2025, at 18:27, Michael Niedermayer <michael@niedermayer.cc> wrote:
> 
> On Wed, Jul 23, 2025 at 03:45:28PM +0200, Timo Rothenpieler wrote:
>> On 23/07/2025 13:43, Michael Niedermayer wrote:
>>> Hi everyone
>>> 
>>> I intend to create the release/8.0 branch in the next 1-2 weeks
>>> after that i intend to make teh 8.0 release in the following 1-2 weeks
>>> 
>>> If theres something you want in it make sure its pushed before the branch
>>> is made.
>> 
>> Would it be sensible to enable tls verify by default with 8.0?
>> Or would that have to go through a longer "deprecation" period?
>> 
>> We've just added proper verification support to openssl, schannel and other
>> backends already had it.
>> It's just default-disabled for some reason.
>> IMO it'd make sense to turn it on by default, it has surprised me and other
>> people in the past that FFmpeg does not verify TLS certificates in any way
>> by default.
> 
> Is there some disadvantage ?
> 
> if not i would suggest to enable it

As long as there is a command line option to disable checking, it should
be a good default. There are many sites out there with badly configured
certificates, or self-signed ones, which would no longer work, otherwise.

-Dimitry

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1776 bytes --]

On Wed, Jul 23, 2025 at 06:43:51PM +0200, Dimitry Andric wrote:
> On 23 Jul 2025, at 18:27, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > 
> > On Wed, Jul 23, 2025 at 03:45:28PM +0200, Timo Rothenpieler wrote:
> >> On 23/07/2025 13:43, Michael Niedermayer wrote:
> >>> Hi everyone
> >>> 
> >>> I intend to create the release/8.0 branch in the next 1-2 weeks
> >>> after that i intend to make teh 8.0 release in the following 1-2 weeks
> >>> 
> >>> If theres something you want in it make sure its pushed before the branch
> >>> is made.
> >> 
> >> Would it be sensible to enable tls verify by default with 8.0?
> >> Or would that have to go through a longer "deprecation" period?
> >> 
> >> We've just added proper verification support to openssl, schannel and other
> >> backends already had it.
> >> It's just default-disabled for some reason.
> >> IMO it'd make sense to turn it on by default, it has surprised me and other
> >> people in the past that FFmpeg does not verify TLS certificates in any way
> >> by default.
> > 
> > Is there some disadvantage ?
> > 
> > if not i would suggest to enable it
> 
> As long as there is a command line option to disable checking, it should
> be a good default.

> There are many sites out there with badly configured
> certificates, or self-signed ones, which would no longer work, otherwise.

the fix for this is to check crt.sh

example: https://crt.sh/?q=ffmpeg.org

and if there are or where correct certificates, reject the self signed one
otherwise allow self signed by default with a warning

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Everything should be made as simple as possible, but not simpler.
-- Albert Einstein

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Jacob Lifshay]

On July 23, 2025 10:48:51 AM PDT, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Wed, Jul 23, 2025 at 06:43:51PM +0200, Dimitry Andric wrote:
> > As long as there is a command line option to disable checking, it should
> > be a good default.
> 
> > There are many sites out there with badly configured
> > certificates, or self-signed ones, which would no longer work, otherwise.

agreed.

> the fix for this is to check crt.sh

please do not make ffmpeg access other websites by default for privacy reasons.

Jacob
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Nicolas George]

Michael Niedermayer (HE12025-07-23):
> the fix for this is to check crt.sh
> 
> example: https://crt.sh/?q=ffmpeg.org
> 
> and if there are or where correct certificates, reject the self signed one
> otherwise allow self signed by default with a warning

“502 Bad Gateway” I doubt it can be a fix for anything.

Anyway, that cannot be a fix:
- the site could get compromised;
- our users might not trust them;
- the site could be down;
- internet access might not be available;
- the extra latency might be unacceptable;
- …

And it is our users' absolute right to access sites with self-signed or
invalid certificate, starting with sites they operate themselves in test
environments, without the say-so of any other site.

Can somebody confirm there is an option to disable certificate checks
(or at least turns them into a warning) that can be set by the caller
for every protocol that ends in TLS? If not, that feature is not ready
to be enabled by default.

Also, I would prefer if there were at least one release cycle where the
checks are done but not fatal, to let users adapt in their own time.

Regards,

-- 
  Nicolas George
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2224 bytes --]

On Wed, Jul 23, 2025 at 08:40:22PM +0200, Nicolas George wrote:
> Michael Niedermayer (HE12025-07-23):
> > the fix for this is to check crt.sh
> > 
> > example: https://crt.sh/?q=ffmpeg.org
> > 
> > and if there are or where correct certificates, reject the self signed one
> > otherwise allow self signed by default with a warning
> 
> “502 Bad Gateway”

there are others like
https://osint.sh/crt/


> I doubt it can be a fix for anything.

> 
> Anyway, that cannot be a fix:

> - the site could get compromised;

I think modifying these logs in an undetectable way is cryptographically not simple
https://certificate.transparency.dev/howctworks/


> - our users might not trust them;

The "Certificate Transparency" ? there should be no trust involved here.
Its just an append only log of all certificates

If you meant that the user might not trust a self signed certificate,
even if there never was a better certificate, then the user cannot
access the url in question if thats the only certificate the target url
provides


> - the site could be down;

thats detectable and then no self signed certificate would be accepted by default


> - internet access might not be available;

thats detectable and then no self signed certificate would be accepted by default


> - the extra latency might be unacceptable;

agree
but note, this was a somewhat hypothetical suggestion. I think its an interresting
idea. I dont expect anyone is going to just implement it like this.
The shit performance of these public sites is one problem that would need to be
solved first


> - …
> 
> And it is our users' absolute right to access sites with self-signed or
> invalid certificate, starting with sites they operate themselves in test
> environments, without the say-so of any other site.

agree but that should not be default for a https url.
People today expect https to be secure

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1001 bytes --]

On Wed, Jul 23, 2025 at 11:19:57AM -0700, Jacob Lifshay wrote:
> 
> 
> On July 23, 2025 10:48:51 AM PDT, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > On Wed, Jul 23, 2025 at 06:43:51PM +0200, Dimitry Andric wrote:
> > > As long as there is a command line option to disable checking, it should
> > > be a good default.
> > 
> > > There are many sites out there with badly configured
> > > certificates, or self-signed ones, which would no longer work, otherwise.
> 
> agreed.
> 

> > the fix for this is to check crt.sh
> 
> please do not make ffmpeg access other websites by default for privacy reasons.

I understand and agree to this concern.

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If one takes all money from those who grow wealth and gives it to those who
do not grow wealth, 10 years later, almost the same people who where wealthy
will be wealthy again, the same people who where poor will be poor again.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] FFmpeg 8.0 Release

[James Almer]

[-- Attachment #1.1.1: Type: text/plain, Size: 2132 bytes --]

On 7/23/2025 11:01 AM, Niklas Haas wrote:
> On Wed, 23 Jul 2025 16:01:14 +0200 Niklas Haas <ffmpeg@haasn.xyz> wrote:
>> On Wed, 23 Jul 2025 13:43:43 +0200 Michael Niedermayer <michael@niedermayer.cc> wrote:
>>> Hi everyone
>>>
>>> I intend to create the release/8.0 branch in the next 1-2 weeks
>>> after that i intend to make teh 8.0 release in the following 1-2 weeks
>>>
>>> If theres something you want in it make sure its pushed before the branch
>>> is made.
>>>
>>> And if theres a bugfix that you want included make sure it either hits
>>> master before the branch point or cherry pick it into release/8.0
>>> before the release
>>>
>>> Also name ideas as always are welcome, will choose teh one with most
>>> votes. If theres a tie, i plan to vote last so i can break ties
>>
>> When can we formally remove YUV pixel formats?

It's an ABI break, so when we bump major soname, which we'd do early 
next year.

> 
> I of course meant to write YUVJ, although formally removing YUV would make our
> lives easier too.

How so?

> 
>>
>> As far as I'm aware, nothing is blocking this, we just need to break the
>> ABI for it. When is the best time to do that?
>>
>>>
>>> thx
>>>
>>> --
>>> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>>>
>>> The real ebay dictionary, page 1
>>> "Used only once"    - "Some unspecified defect prevented a second use"
>>> "In good condition" - "Can be repaird by experienced expert"
>>> "As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
>>> _______________________________________________
>>> ffmpeg-devel mailing list
>>> ffmpeg-devel@ffmpeg.org
>>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>>
>>> To unsubscribe, visit link above, or email
>>> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".