From: "Tomas Härdin" <tjoppen@acc.umu.se>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] API enhancements / broken promises
Date: Thu, 18 Aug 2022 10:48:04 +0200
Message-ID: <fe0e827c3b5b946318e8b9721ab895bb116167f8.camel@acc.umu.se> (raw)
In-Reply-To: <20220817172145.GD2088045@pb2>
ons 2022-08-17 klockan 19:21 +0200 skrev Michael Niedermayer:
>
> Now to achieve this do we need xml and json ?
> grep tells me we have 500 matches (not counting docs) for xml and
> almost 100
> for json
> Also for streaming and some cases filtering being able to serialize
> objects
> would be useful. xml and json seem better choices than some ad-hoc
> format
> So i would awnser the question do we need XML and JSON, with yes we
> live
> in a world that uses XML and JSON so if we give the option to use it
> too
> that makes it easier for others to interact.
>
> now do we need our own implementation of it ? I dont know but we have
> in almost all cases favored our native implementations when someone
> wrote
> one. And libxml2 has had so many security issues that i think we
> should
> at least consider replacing it.
Absolutely not. The solution is to fix and improve libxml2, not to add
to the problem with our own XML parser which will inevitably have its
own set of bugs. NIH for its own sake does nothing but split developer
effort and increase the number of bugs.
Parsing is hard and the source of the vast majority of CVEs. This
project should take the advice of the langsec community to heart.
Resist the urge to write your own shotgun parsers because it is "fun".
Make your protocol context-free or regular!
/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2022-08-18 8:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 16:47 Nicolas George
2022-08-16 23:16 ` Stefano Sabatini
2022-08-17 17:21 ` Michael Niedermayer
2022-08-17 20:48 ` Nicolas George
2022-08-18 8:48 ` Tomas Härdin [this message]
2022-08-18 17:19 ` Jean-Baptiste Kempf
2022-08-19 18:30 ` Michael Niedermayer
2022-08-19 19:35 ` Timo Rothenpieler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe0e827c3b5b946318e8b9721ab895bb116167f8.camel@acc.umu.se \
--to=tjoppen@acc.umu.se \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git