From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 534894BCB9 for ; Wed, 23 Jul 2025 23:58:55 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 83FA268D2D5; Thu, 24 Jul 2025 02:58:50 +0300 (EEST) Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 02156680267 for ; Thu, 24 Jul 2025 02:58:43 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id F383641C7D for ; Wed, 23 Jul 2025 23:58:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1753315123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LBp2KeVID5+p2bvAeLZxaoW0xn4YIi/Qoftx7xLFpFo=; b=k6l9WjHJ53VVl06ziGGlI4dsdtRPiSmKN1W4KhTOl63DIP5gvWW70rxIqxLmv9vu5R0qAj EJsev3+pA5v4u8hUn0bYKL51JRAXiA/f8Cst+VlJ3dLhdOs99ZTkoEqEKEWPTIoaCgj1MC c2eEnXRR+wuCPiepiBRs6MeZaRLiGOoode41eSKNOgZCclwSHuXUxwOJqoou1NLa315G17 tmX1eXkYsVfoDFB9adBPs+akv1I2I/pYoVz9LsL0PUE4DBpNI7j82RNuthGyZt7WpIVKuX YLUjOi1MDGHHSnYcuADdPN+qBO97Z3gQ4QvZWXisFhBpKw9/GXKdp62ZuWcbJQ== Date: Thu, 24 Jul 2025 01:58:42 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20250723235842.GN29660@pb2> References: <20250723114343.GK29660@pb2> <20250723162710.GL29660@pb2> <0E79640C-B2A7-4C81-9618-CEEC09357668@unified-streaming.com> <20250723174851.GM29660@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-State: clean X-GND-Score: -41 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdejledugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnegoufhushhpvggtthffohhmrghinhculdegledmnegfrhhlucfvnfffucdluddtmdenucfjughrpeffhffvuffkfhggtggujgesghdtreertddtjeenucfhrhhomhepofhitghhrggvlhcupfhivgguvghrmhgrhigvrhcuoehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgeqnecuggftrfgrthhtvghrnhepkeffhffgudehtdeihedtteetleeggeetgfevtddthfduhefhueeffffhieejffeinecuffhomhgrihhnpegtrhhtrdhshhdpfhhfmhhpvghgrdhorhhgpdhoshhinhhtrdhshhdpthhrrghnshhprghrvghntgihrdguvghvnecukfhppeeguddrieeirdeihedrudejieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeihedrudejiedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] FFmpeg 8.0 Release X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============8395615742674034123==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============8395615742674034123== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="y2jWhRpNnOf50fm8" Content-Disposition: inline --y2jWhRpNnOf50fm8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 23, 2025 at 08:40:22PM +0200, Nicolas George wrote: > Michael Niedermayer (HE12025-07-23): > > the fix for this is to check crt.sh > >=20 > > example: https://crt.sh/?q=3Dffmpeg.org > >=20 > > and if there are or where correct certificates, reject the self signed = one > > otherwise allow self signed by default with a warning >=20 > =E2=80=9C502 Bad Gateway=E2=80=9D there are others like https://osint.sh/crt/ > I doubt it can be a fix for anything. >=20 > Anyway, that cannot be a fix: > - the site could get compromised; I think modifying these logs in an undetectable way is cryptographically no= t simple https://certificate.transparency.dev/howctworks/ > - our users might not trust them; The "Certificate Transparency" ? there should be no trust involved here. Its just an append only log of all certificates If you meant that the user might not trust a self signed certificate, even if there never was a better certificate, then the user cannot access the url in question if thats the only certificate the target url provides > - the site could be down; thats detectable and then no self signed certificate would be accepted by d= efault > - internet access might not be available; thats detectable and then no self signed certificate would be accepted by d= efault > - the extra latency might be unacceptable; agree but note, this was a somewhat hypothetical suggestion. I think its an inter= resting idea. I dont expect anyone is going to just implement it like this. The shit performance of these public sites is one problem that would need t= o be solved first > - =E2=80=A6 >=20 > And it is our users' absolute right to access sites with self-signed or > invalid certificate, starting with sites they operate themselves in test > environments, without the say-so of any other site. agree but that should not be default for a https url. People today expect https to be secure thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Whats the most studid thing your enemy could do ? Blow himself up Whats the most studid thing you could do ? Give up your rights and freedom because your enemy blew himself up. --y2jWhRpNnOf50fm8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaIF3KwAKCRBhHseHBAsP q258AJ9QbmhPWBoaf7qSmgJ6JN+gr6//1wCgg8EdANZWLfCeUAeiJWP6KS+rCE8= =xHmg -----END PGP SIGNATURE----- --y2jWhRpNnOf50fm8-- --===============8395615742674034123== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============8395615742674034123==--