On Sat, Aug 16, 2014, at 20:59, Russ Allbery wrote: > The problem, however, is that taking security seriously, while possibly > necessary, is not sufficient. I'm glad that FFmpeg takes security > seriously, but what FFmpeg needs is to *have fewer security bugs*.
JFTR the Coverity Scan results for ffmpeg looks promising: https://scan.coverity.com/projects/54 I am not saying that we should base our decisions on Coverity Scan[1] results, but this is one more metric that could help to weight the decision to one or other direction. (Also this is not an advice what should ffmpeg do...) From the security viewpoint, I would be also interested if ffmpeg has tests and what is current code coverage. That could help avoiding regressions when doing security updates. 1. There are also other tools: llvm/clang scan_build, OCLint, cppcheck (and other metrics like Cyclomatic complexity) Cheers, Ondrej P.S.: libav doesn't seem to be using Coverity Scan actively: https://scan.coverity.com/projects/106 (last scan was 4 months ago) -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
