From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 83C2143B7E for ; Thu, 18 Aug 2022 17:19:40 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 524FC68B98E; Thu, 18 Aug 2022 20:19:37 +0300 (EEST) Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5A2D268B5E4 for ; Thu, 18 Aug 2022 20:19:31 +0300 (EEST) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id E2B2632009A7 for ; Thu, 18 Aug 2022 13:19:28 -0400 (EDT) Received: from imap49 ([10.202.2.99]) by compute5.internal (MEProxy); Thu, 18 Aug 2022 13:19:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1660843168; x=1660929568; bh=6SDb4vgdHmH9w2xroyLFkRCXrGUT BOYIIRxEX5OFSBk=; b=rUOY8k/ore2B2++tHE39Uoc3r4CLP05LYsN7sMVPTdAD bAi33yTcfxkpqXlRowrMcz85NiunMiH1pUt6FsaBWe1KxFB7S9JZ86yKjTizn87z w6Xbf8unl1fIihzc+9gpoz7HnMIMmXpY5FdGpJvdCbN+8BBpU4Oe5Jql6SxkHNYa O9gNZ0IoGOs/3pzLdOT5aOVsoPa40CRwxevj+nmn+vPN4+wcvz3k1u6CiSJl4Ac4 T9k8GmQCvtwYorehxeL31li4IJfqOOQA5OGGz351ukb+mkWRHfX5Uh1SB2GBX5Nr KeDnC5aZrgbCza7IxIZlHhk4slxnzzI9GUwRzge1WQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdehledgkeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedflfgvrghnqdeurghpthhishhtvgcumfgvmhhpfhdfuceo jhgssehvihguvgholhgrnhdrohhrgheqnecuggftrfgrthhtvghrnhepieeijefhffehke dvfedtkeduudeftdelkeffgfetledvieelkefftefgleefvedunecuffhomhgrihhnpehf fhhmphgvghdrohhrghdpvhhiuggvohhlrghnrdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepjhgssehvihguvgholhgrnhdrohhrgh X-ME-Proxy: Feedback-ID: i06904239:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id C3E5C15A0087; Thu, 18 Aug 2022 13:19:27 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.7.0-alpha0-841-g7899e99a45-fm-20220811.002-g7899e99a Mime-Version: 1.0 Message-Id: In-Reply-To: <20220817172145.GD2088045@pb2> References: <20220817172145.GD2088045@pb2> Date: Thu, 18 Aug 2022 19:19:07 +0200 From: "Jean-Baptiste Kempf" To: ffmpeg-devel Subject: Re: [FFmpeg-devel] API enhancements / broken promises X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On Wed, 17 Aug 2022, at 19:21, Michael Niedermayer wrote: > a unwise choice. But if someone is against very basic xml or json parsers > please speak up now and here because its still better to say "no" now than > after nicolas did the work. Absolutely against this idea. Both JSON and XML are very very very difficult to parse in a secure manner. Doing a simple XML parser and a simple JSON parser might be simple tasks for any decent programmer, doing those parsers is extremely difficult because there are a lot of complex corners cases, even if you take a subset of XML. Unicode, encoding, entities decoding, binary data, languages are not something you can skip, even if you take a subset of XML. Once you add document validation and DTD, namespaces, recursive XML or XPath/XQuery this makes it a project as big as the whole FFmpeg, and that's why libxml2 is so big. If you just want DASH and TTML (and maybe fontconfig), you still have to do a large set of features. And then you need to care about security. It's a difficult problem to fix, and seeing the track record of the security of open source multimedia projects, we should focus on our issues, not adding new ones. If you believe that you can do a better job than thousands of people paid large amounts of money who spent decades on this problem, then, please do a separate project, host it on git.ffmpeg.org, git.videolan.org or github, and give us a fast streaming API. Please be sure that you validate most test-suites and cornercases too. And fuzz it. Managing to do that would be an impact probably much bigger than FFmpeg, so don't hesitate. And then FFmpeg will be able to use it, and other projects too. But for me, until this is ready and battle-tested, it's a hard no.. jb -- Jean-Baptiste Kempf - President +33 672 704 734 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".