* [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
@ 2024-04-23 19:04 Javier Matos Denizac via ffmpeg-devel
2024-04-23 21:46 ` Michael Niedermayer
0 siblings, 1 reply; 5+ messages in thread
From: Javier Matos Denizac via ffmpeg-devel @ 2024-04-23 19:04 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Javier Matos Denizac
Dear FFmpeg team,
My name is Javier Matos, and I am part of the vcpkg team at Microsoft. vcpkg is an open-source package manager designed to help developers manage C++ libraries across platforms in a consistent manner.
I am reaching out to inquire if FFmpeg could host an official GitHub mirror for the `rtmpdump` repository on `github.com/FFmpeg`.
Currently, vcpkg uses a mirrored version from `github.com/mirror/rtmpdump`, which is not maintained by the original authors, posing a significant supply chain risk due to potential unauthorized modifications.
Alternatively, while we could switch to using the repository at `git://git.ffmpeg.org/rtmpdump.git`, this source lacks support for SHA512 checksums, complicating asset caching and security verification crucial for ensuring the integrity of the code during downloads.
An official GitHub mirror hosted by FFmpeg would address these issues by providing a secure, verifiable source that we can integrate with vcpkg. Thank you for considering this request. I look forward to your feedback.
Best regards,
Javier Matos
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
2024-04-23 19:04 [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security Javier Matos Denizac via ffmpeg-devel
@ 2024-04-23 21:46 ` Michael Niedermayer
2024-04-25 12:38 ` Derek Buitenhuis
0 siblings, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-23 21:46 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1252 bytes --]
Hi
On Tue, Apr 23, 2024 at 07:04:08PM +0000, Javier Matos Denizac via ffmpeg-devel wrote:
> Dear FFmpeg team,
>
>
> My name is Javier Matos, and I am part of the vcpkg team at Microsoft. vcpkg is an open-source package manager designed to help developers manage C++ libraries across platforms in a consistent manner.
>
> I am reaching out to inquire if FFmpeg could host an official GitHub mirror for the `rtmpdump` repository on `github.com/FFmpeg`.
>
> Currently, vcpkg uses a mirrored version from `github.com/mirror/rtmpdump`, which is not maintained by the original authors, posing a significant supply chain risk due to potential unauthorized modifications.
>
> Alternatively, while we could switch to using the repository at `git://git.ffmpeg.org/rtmpdump.git`, this source lacks support for SHA512 checksums, complicating asset caching and security verification crucial for ensuring the integrity of the code during downloads.
Can you elaborate what the problem is ?
I would have thought https://git.ffmpeg.org/rtmpdump.git
is secure
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
2024-04-23 21:46 ` Michael Niedermayer
@ 2024-04-25 12:38 ` Derek Buitenhuis
2024-04-25 23:10 ` [FFmpeg-devel] [EXTERNAL] " Javier Matos Denizac via ffmpeg-devel
0 siblings, 1 reply; 5+ messages in thread
From: Derek Buitenhuis @ 2024-04-25 12:38 UTC (permalink / raw)
To: ffmpeg-devel
On 4/23/2024 10:46 PM, Michael Niedermayer wrote:
> Can you elaborate what the problem is ?
> I would have thought https://git.ffmpeg.org/rtmpdump.git
> is secure
I have to assume he means SHA-256, and not SHA-512.
git apparently supports using SHA-256 instead of SHA-1 hashes,
but support does not seem to be very mainstream. I am not even
sure GitHub supports it (https://github.com/orgs/community/discussions/12490
seems to indicate not yet).
So either this is vcpkg trying to be vey aggressive in
requiring git features, or there is some clarification neeed.
- Derek
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [EXTERNAL] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
2024-04-25 12:38 ` Derek Buitenhuis
@ 2024-04-25 23:10 ` Javier Matos Denizac via ffmpeg-devel
2024-04-26 0:02 ` Derek Buitenhuis
0 siblings, 1 reply; 5+ messages in thread
From: Javier Matos Denizac via ffmpeg-devel @ 2024-04-25 23:10 UTC (permalink / raw)
To: FFmpeg development discussions and patches; +Cc: Javier Matos Denizac
Actually, I noticed that you publish release tarballs -> http://rtmpdump.mplayerhq.hu/download/, but I don’t see a release tarball for 2.4. Would y’all be willing to publish a release for 2.4 and maybe mint and publish a release tarball for 2.6?
As for why SHA-512, we use SHA-512 checksums to verify the integrity of the file and as an identifier for our asset caching mechanism. That way we can identify if we have already downloaded the tarball and avoid downloading it again.
- Javier
On Apr 25, 2024, at 8:38 AM, Derek Buitenhuis <derek.buitenhuis@gmail.com> wrote:
[You don't often get email from derek.buitenhuis@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
On 4/23/2024 10:46 PM, Michael Niedermayer wrote:
Can you elaborate what the problem is ?
I would have thought https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.ffmpeg.org%2Frtmpdump.git&data=05%7C02%7Cjaviermat%40microsoft.com%7Cbbe1b884618b4d02416408dc6524b486%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638496455534699942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2Bz%2B00fGNCFNTtC24dDlwpDcwcsr87YPxRhusNhBsm5A%3D&reserved=0
is secure
I have to assume he means SHA-256, and not SHA-512.
git apparently supports using SHA-256 instead of SHA-1 hashes,
but support does not seem to be very mainstream. I am not even
sure GitHub supports it (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Forgs%2Fcommunity%2Fdiscussions%2F12490&data=05%7C02%7Cjaviermat%40microsoft.com%7Cbbe1b884618b4d02416408dc6524b486%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638496455534707598%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ywZOz2L6tmpAfk%2FoPnGgUlqjH441jGUMPh4TcVFN8KA%3D&reserved=0
seems to indicate not yet).
So either this is vcpkg trying to be vey aggressive in
requiring git features, or there is some clarification neeed.
- Derek
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmpeg-devel&data=05%7C02%7Cjaviermat%40microsoft.com%7Cbbe1b884618b4d02416408dc6524b486%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638496455534712191%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=s6m5uKpOetHmePYbl%2BpSOCGGCk6GYoFU4A2cwk%2BpMzQ%3D&reserved=0
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [EXTERNAL] Request for Official GitHub Mirror of rtmpdump for Enhanced Security
2024-04-25 23:10 ` [FFmpeg-devel] [EXTERNAL] " Javier Matos Denizac via ffmpeg-devel
@ 2024-04-26 0:02 ` Derek Buitenhuis
0 siblings, 0 replies; 5+ messages in thread
From: Derek Buitenhuis @ 2024-04-26 0:02 UTC (permalink / raw)
To: ffmpeg-devel
Hi,
Replies inline.
On 4/26/2024 12:10 AM, Javier Matos Denizac via ffmpeg-devel wrote:
> Actually, I noticed that you publish release tarballs -> http://rtmpdump.mplayerhq.hu/download/, but I don’t see a release tarball for 2.4. Would y’all be willing to publish a release for 2.4 and maybe mint and publish a release tarball for 2.6?
As far as I can tell, the rtmpdump author has, move away from tarballs
and only uses git tags, now, as per https://rtmpdump.mplayerhq.hu/, which
itself seems outdated.
You may have better luck contacting its main contributor (Howard Chu), on
rtmpdump's own mailing list (https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump)
or directly. FFmpeg only provides infrastructure for it, to my knowledge.
> As for why SHA-512, we use SHA-512 checksums to verify the integrity of the file and as an identifier for our asset caching mechanism. That way we can identify if we have already downloaded the tarball and avoid downloading it again.
It was unclear you were talking about tarballs as you only referred to GitHub and
the FFmpeg-run git server...
That said, I am unsure why git is not considered secure / verifiable enough, compared
to a tarball. I would actually argue the opposite is true for autogenerated tarballs
like GitHub provides.
- Derek
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-04-26 0:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-23 19:04 [FFmpeg-devel] Request for Official GitHub Mirror of rtmpdump for Enhanced Security Javier Matos Denizac via ffmpeg-devel
2024-04-23 21:46 ` Michael Niedermayer
2024-04-25 12:38 ` Derek Buitenhuis
2024-04-25 23:10 ` [FFmpeg-devel] [EXTERNAL] " Javier Matos Denizac via ffmpeg-devel
2024-04-26 0:02 ` Derek Buitenhuis
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git