Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-19 Thread compn
On Tue, 19 Nov 2024 14:03:51 +
Derek Buitenhuis  wrote:

> On 11/12/2024 7:55 PM, compn wrote:
> > On Tue, 12 Nov 2024 16:46:42 +
> > Derek Buitenhuis  wrote:
> >   
> >> On 11/11/2024 7:34 PM, compn wrote:  
> >>> one of my goals is to make sure that certain developers, who made
> >>> their own project and then ran it into the ground, arent made as
> >>> admins again. they had a good run but couldnt even make an
> >>> announcement that their project had died. the last one out, did
> >>> not turn out the lights.
> >>
> >> I appreciate you going mask off.
> >>
> >> I don't consider this at all acceptable behavior.  
> > 
> > my personal opinion of who can be root in our project is not
> > acceptable behavior ? feel free to explain.  
> 
> Your goal of specifically excluding certain members of the community
> because you're salty about the past is not acceptable behavior in
> what should be an inclusive community.

i see.

> > i asked you in person at vdd last week if you met the requirements
> > to administer ffmpeg (which iirc is just bare minimum "do you have
> > 1+ years of server administration experience"), and you declined to
> > tell me if you met the requirements. which is fine, no one has to
> > tell me anything.  
> 
> You didn't ask me anything in person to my face, only rambled during
> the meeting.
> 
> I also never proposed myself so I don't even know why that is
> relevant.
> 
> > 
> > not answering simple questions in person, and not updating old
> > github repositories makes me less inclined to vote for you as an
> > administrator in the future. in my personal opinion.  
> 
> I am forwarding these lies to the non-functionign CC. You're making
> stuff I never proposed and that never happened, and it is inflamatory
> BS.
> 
> - Derek

sorry, i apologize.  i didnt mean to antagonize you or anyone else.

-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-19 Thread Derek Buitenhuis
On 11/12/2024 7:55 PM, compn wrote:
> On Tue, 12 Nov 2024 16:46:42 +
> Derek Buitenhuis  wrote:
> 
>> On 11/11/2024 7:34 PM, compn wrote:
>>> if your goal is to post old quotes, thats cool.  
>>
>> Woosh.
> 
> the quotes are from michael in 2015 saying elect a new leader. pretty
> sure we never elected one.
> 
> feel free to start a vote.

The lack of an election does not mean one retains BDFL.

>  
>>> one of my goals is to make sure that certain developers, who made
>>> their own project and then ran it into the ground, arent made as
>>> admins again. they had a good run but couldnt even make an
>>> announcement that their project had died. the last one out, did not
>>> turn out the lights.  
>>
>> I appreciate you going mask off.
>>
>> I don't consider this at all acceptable behavior.
> 
> my personal opinion of who can be root in our project is not acceptable
> behavior ? feel free to explain.

Your goal of specifically excluding certain members of the community because
you're salty about the past is not acceptable behavior in what should be an
inclusive community.

> i dont think you were an admin there, i wasnt including you in that
> list.

Irrelevant.

> although since you are listed as a member
> on https://github.com/libav/ , and you asked to be root @ ffmpeg, i'm asking 
> you to do an administrative task and either update that github repo or take 
> the steps to close it down.

It should be updated to say Libav is long dead, yes.

> i asked you in person at vdd last week if you met the requirements
> to administer ffmpeg (which iirc is just bare minimum "do you have 1+
> years of server administration experience"), and you declined to
> tell me if you met the requirements. which is fine, no one has to tell
> me anything.

You didn't ask me anything in person to my face, only rambled during
the meeting.

I also never proposed myself so I don't even know why that is relevant.

> 
> not answering simple questions in person, and not updating old
> github repositories makes me less inclined to vote for you as an
> administrator in the future. in my personal opinion.

I am forwarding these lies to the non-functionign CC. You're making stuff I 
never proposed
and that never happened, and it is inflamatory BS.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-19 Thread Derek Buitenhuis
On 11/12/2024 7:37 PM, compn wrote:
> concern trolling?

I am pointing out Michael's own logic isn't even consistent with itself.

What is logic *actually* is is that the of course *he* is trustworthy, to
him.

> 
> you're concerned about one developer adding in a backdoor, so the
> solution is to add more developers? if you dont trust the 1 how would
> you trust the n+1 or the n-1 ? just because they meet you in person and
> watch you eat a bunch of mosquitos at a dinner ? thats your level of
> security?

This is seriously the biggest joke of "security" logic I have ever seen.

Just endless BS replied to keep teh status quo; insane arguments so that
nothing ever happens.

For my own mental health I am ceasing to reply here. This sort of crap
is why I took several years off this community. 

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-19 Thread Derek Buitenhuis
On 11/12/2024 6:41 PM, Rémi Denis-Courmont wrote:
> I don't think that Derek meant that literally. The GA is not a legal entity 
> so it can't hold a domain name or a trademark in the first place, or for that 
> matter physical servers or hosting service contracts. Just like the bank 
> account, these things should be held by a non-profit - preferably the same 
> one that already has the bank account(s).
> 
> I think Derek's point is what the governance should be, not what the legal 
> ownership should be.

This.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-17 Thread compn
On Wed, 13 Nov 2024 12:58:40 +0100
Michael Niedermayer  wrote:

> So heres the list of people who will have git write access after
> dormant accounts are disabled. All the ones here where active in the
> last 10 years as a committer in FFmpeg. Noone is added, everyone from
> this list had access before
> 
> wm4


is wm4 still active? nothing since ~2018? 

https://patchwork.ffmpeg.org/project/ffmpeg/list/?submitter=110

not on irc. no longer in mpv project either.

ugh i bet "active in last 5 years" is grim.

-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-17 Thread Michael Niedermayer
On Wed, Nov 13, 2024 at 12:58:40PM +0100, Michael Niedermayer wrote:
> Hi
> 
> On Sun, Nov 10, 2024 at 07:44:11PM +0100, Michael Niedermayer wrote:
> > Hi all
> > 
> > On Sat, Nov 09, 2024 at 05:18:08PM +0100, Michael Niedermayer wrote:
> > > Hi all
> > > 
> > > Should we disable git accounts for developers who have not been active 
> > > since
> > > a long time (like 10 years) ?
> > > 
> > > (if these developers come back, the account would then be enabled again)
> > > but disabling such accounts may improve security (lots of "if" here but
> > > assuming they loose their key, assuming whoever gets hold of the key
> > > has interrest and ability to attack ffmpeg and and and, the risk here
> > > is likely low but not 0)
> > 
> > I count currently 127 people with git write access
> > above suggestion would disable around 33 accounts.
> > 
> > I cannot show the list because of GDPR
> > but the remaining 127-33 accounts are on this list:
> > git log  --since 10.years --first-parent --pretty=fuller | grep '^Commit:' 
> > | sort | uniq
> > 
> > Note that above command will not produce a clean list. It requires manual
> > cleanup, "Commit:" is just a text field and not everything thats in that 
> > field
> > has or had a write account. But I cannot post peoples names or email 
> > addressed
> > 
> > If i hear noone objecting to this (and there are already multiple people
> > in favor) then i will disable the 33 accounts in a few days
> 
> I have rechecked this situation and IIUC the GDPR has some exceptions
> for cases where its in teh public interrest. I think listing who has
> git write of a public project like FFmpeg is in the public interrest
> and that transparency weighs heavier
> 
> So heres the list of people who will have git write access after dormant
> accounts are disabled. All the ones here where active in the last 10 years
> as a committer in FFmpeg. Noone is added, everyone from this list had access
> before
> 
> mstorsjo ajacobs akhirnov cehoyos ngeorge thardin rdoeffinger rsbultje 
> mniedermayer pross rpinochet ssabatini bcoudurier ahannula rpolla compn 
> benoit philipl gbeauchesne ubitux beastd durandal daemon404 pasteeater wm4 
> jamrial lukaszm jzern andreasc timo rostislav nevcairiel claudio gramner cus 
> thilo pedro arttu vesselin timothygu mattoliver rcombs mateo gajjanag kierank 
> jamesdarnley tvolkert mfaiz rkern kswanson jkqxz josh pburt jansebechlebsky 
> aconverse stevenliu mjbshaw bangnoise vittorio tobiasrapp agupta foo86 jeeb 
> martinv jorge kjeyapal junzhao gyan pavel lizhong laurikasanen songruiling 
> yejunguo hwren jluthra agelman arheinhardt lmwang linjiefu zanevi shutchinson 
> haihao haasn zhilizhao leoizen pal courmisch lynne dmitrii nuomi bsmith 
> feiwan ePirat marth64
> 
> (some people above have 2 keys, these duplciates where removed)
> 
> I intend to wait a few more days before updating the list so people
> can review this. Mistakes are not impossible as i had to match these
> to teh emails from git by hand

change applied.
Noone active as a commiter in FFmpeg in the last 10 years should have lost 
access.
If someone did loose access, please immedeatly contact me, ill fix it

thx

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threats 
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-15 Thread compn
On Wed, 13 Nov 2024 10:44:29 -1000
compn  wrote:
> the server admins know who has access. the access list isnt a public
> document. some developers want it to be a public document.
> i dont particularly care if the list is public or not.
> 
> i am curious to know why this is now an important issue, though.

to answer my own question it might come from this soverign tech fund
program from last year (or a similar guideline). in that its a
good idea to document FOSS project infrastructure and behind-the-scenes
stuff.

https://www.sovereign.tech/programs/challenges#more-about-the-challenges

>3. FOSS Infrastructure Documentation
>
>The FOSS Infrastructure Documentation Challenge invites participants
>to create comprehensive documentation for the most critical and
>widely-used FOSS infrastructure projects.
>
>Documentation is an essential part of any software project, but
>especially for FOSS projects, as it can be a significant barrier to
>entry for new users and contributors if it is not well written and
>organized.
>
>The goal of this challenge is to make FOSS projects more accessible to
>new users and contributors through improved documentation and better
>knowledge management. Participants will improve the documentation for a
>FOSS infrastructure project of their choice and ensure that it is
>clear, concise, up-to-date, and accurate.

although that might apply more to other projects it also applies to
ffmpeg.

more info for securing your FOSS project:
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-13 Thread Leo Izen

On 11/13/24 1:15 PM, Michael Niedermayer wrote:


so there are no unlabeled keys, its all there just not in an machiene parsable 
list
for example your key addition looks like this:



I see. If everyone who has access is known then I don't see any issue 
with disabling push access to accounts that have made no commits in a 
decade, and I don't believe anyone has objected to that either. (As you 
mentioned, if they become active we can re-add them.)


- Leo Izen (Traneptora)

___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-13 Thread Ronald S. Bultje
Hi,

On Wed, Nov 13, 2024 at 3:45 PM compn  wrote:

> people are using XV as an example, sure.
>

(I think you meant xz.)

Ronald
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-13 Thread compn
On Wed, 13 Nov 2024 12:29:22 -0500
Leo Izen  wrote:

> Yes, clearly, but an issue has come up that apparently we don't know
> who has access to our infrastructure. How do we not know this?

no.

the server admins know who has access. the access list isnt a public
document. some developers want it to be a public document.
i dont particularly care if the list is public or not.

i am curious to know why this is now an important issue, though.

people are using XV as an example, sure. but XV is not ffmpeg.
although i guess a distro could always tie ffmpeg and ssh into systemd
because they have no brains.
backdoors get installed in software all the time. and hardware.

to prevent an XV type backdoor in the future, separate source code from
binary testfiles in all open source projects. its difficult to hide an
exploit like that in source code, but much easier when you can throw a
big binary blob in the repo.

-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-13 Thread Michael Niedermayer
Hi Traneptora

On Wed, Nov 13, 2024 at 12:29:22PM -0500, Leo Izen wrote:
> On 11/9/24 11:18 AM, Michael Niedermayer wrote:
> > Hi all
> > 
> > Should we disable git accounts for developers who have not been active since
> > a long time (like 10 years) ?
> > 
> > (if these developers come back, the account would then be enabled again)
> > but disabling such accounts may improve security (lots of "if" here but
> > assuming they loose their key, assuming whoever gets hold of the key
> > has interrest and ability to attack ffmpeg and and and, the risk here
> > is likely low but not 0)
> > 
> > thx
> 
> Yes, clearly, but an issue has come up that apparently we don't know who has
> access to our infrastructure. How do we not know this?
> 
> When michael gave me push access, he asked for my SSH public key, presumably
> to add to an authorized_keys file somewhere. I presume since he has write
> access to this file, he can also read it.

We use gitolite
gitolite uses git itself to trak all changes to who has what access to what
repository

There is a authorized_keys file but that is build by hooks from gitolite
out of the gitolite config and keys.

previously gitosis was used but its basically the same

so there are no unlabeled keys, its all there just not in an machiene parsable 
list
for example your key addition looks like this:

commit 149f636328a060c814a429af7e4df40ad20e0e4d (origin/master, origin/HEAD, 
last-master)
Author: Michael Niedermayer 
Date:   Tue Jan 24 18:01:21 2023 +0100

Add Leo Izen  to FFmpeg

Signed-off-by: Michael Niedermayer 

 gitosis.conf   | 2 +-
 keydir/leoizen.pub | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Democracy is the form of government in which you can choose your dictator


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-13 Thread Leo Izen

On 11/9/24 11:18 AM, Michael Niedermayer wrote:

Hi all

Should we disable git accounts for developers who have not been active since
a long time (like 10 years) ?

(if these developers come back, the account would then be enabled again)
but disabling such accounts may improve security (lots of "if" here but
assuming they loose their key, assuming whoever gets hold of the key
has interrest and ability to attack ffmpeg and and and, the risk here
is likely low but not 0)

thx


Yes, clearly, but an issue has come up that apparently we don't know who 
has access to our infrastructure. How do we not know this?


When michael gave me push access, he asked for my SSH public key, 
presumably to add to an authorized_keys file somewhere. I presume since 
he has write access to this file, he can also read it.


I'd imagine that some of these keys are not labeled who they belong to, 
which is why we don't know. If the keys were all labeled we'd know who 
they all belong to.


But regardless, I don't think anybody is opposed to having michael go 
through and check which keys haven't been used in 10 years and removing 
them from that authorized_keys file.


I'd even say that we may go as far and remove *every* key that is 
unlabeled unless we can clearly establish who it belongs to and label it 
as such. We need to know who these keys belong to so we can contact 
those people if necessary or know who they are at all.


- Leo Izen (Traneptora)

___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-13 Thread Michael Niedermayer
Hi

On Sun, Nov 10, 2024 at 07:44:11PM +0100, Michael Niedermayer wrote:
> Hi all
> 
> On Sat, Nov 09, 2024 at 05:18:08PM +0100, Michael Niedermayer wrote:
> > Hi all
> > 
> > Should we disable git accounts for developers who have not been active since
> > a long time (like 10 years) ?
> > 
> > (if these developers come back, the account would then be enabled again)
> > but disabling such accounts may improve security (lots of "if" here but
> > assuming they loose their key, assuming whoever gets hold of the key
> > has interrest and ability to attack ffmpeg and and and, the risk here
> > is likely low but not 0)
> 
> I count currently 127 people with git write access
> above suggestion would disable around 33 accounts.
> 
> I cannot show the list because of GDPR
> but the remaining 127-33 accounts are on this list:
> git log  --since 10.years --first-parent --pretty=fuller | grep '^Commit:' | 
> sort | uniq
> 
> Note that above command will not produce a clean list. It requires manual
> cleanup, "Commit:" is just a text field and not everything thats in that field
> has or had a write account. But I cannot post peoples names or email addressed
> 
> If i hear noone objecting to this (and there are already multiple people
> in favor) then i will disable the 33 accounts in a few days

I have rechecked this situation and IIUC the GDPR has some exceptions
for cases where its in teh public interrest. I think listing who has
git write of a public project like FFmpeg is in the public interrest
and that transparency weighs heavier

So heres the list of people who will have git write access after dormant
accounts are disabled. All the ones here where active in the last 10 years
as a committer in FFmpeg. Noone is added, everyone from this list had access
before

mstorsjo ajacobs akhirnov cehoyos ngeorge thardin rdoeffinger rsbultje 
mniedermayer pross rpinochet ssabatini bcoudurier ahannula rpolla compn benoit 
philipl gbeauchesne ubitux beastd durandal daemon404 pasteeater wm4 jamrial 
lukaszm jzern andreasc timo rostislav nevcairiel claudio gramner cus thilo 
pedro arttu vesselin timothygu mattoliver rcombs mateo gajjanag kierank 
jamesdarnley tvolkert mfaiz rkern kswanson jkqxz josh pburt jansebechlebsky 
aconverse stevenliu mjbshaw bangnoise vittorio tobiasrapp agupta foo86 jeeb 
martinv jorge kjeyapal junzhao gyan pavel lizhong laurikasanen songruiling 
yejunguo hwren jluthra agelman arheinhardt lmwang linjiefu zanevi shutchinson 
haihao haasn zhilizhao leoizen pal courmisch lynne dmitrii nuomi bsmith feiwan 
ePirat marth64

(some people above have 2 keys, these duplciates where removed)

I intend to wait a few more days before updating the list so people
can review this. Mistakes are not impossible as i had to match these
to teh emails from git by hand

thx

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato 


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Kieran Kunhya via ffmpeg-devel
On Wed, 13 Nov 2024, 00:10 Michael Niedermayer, 
wrote:

> Hi
>
> On Tue, Nov 12, 2024 at 10:38:09PM +, Kieran Kunhya via ffmpeg-devel
> wrote:
> > On Tue, 12 Nov 2024, 21:03 Michael Niedermayer, 
> > wrote:
> >
> > > On Tue, Nov 12, 2024 at 05:32:40PM +, Derek Buitenhuis wrote:
> > > > On 11/12/2024 5:07 PM, James Almer wrote:
> > > > > I personally don't agree with giving the domain/trademark to the
> > > general
> > > > > assembly, as some have argued. It's just not safe at all.
> > > >
> > > > Sorry, I didn't necessarily mean giving it ot the GA. I mean having
> it
> > > in a
> > > > better state than being held hostage by someone who hasn't been
> around
> > > in 20
> > > > years and only talks to one person.
> > > >
> > >
> > > > It essentially gives that one person the ability to hold the whole
> > > project hostage.
> > >
> > > This statement is true for every case where a person holds a trademark
> or
> > > domain
> > > Its also true for every legal entity holding them, as said legal
> entity is
> > > generally
> > > controlled by one person at some level.
> > >
> >
> > It's possible to have entities where no single person is in control.
>
> which then have a single person applying their decission. Again a single
> person who holds the password for the domain registrar.
>
> One can stack more and more complexity to battle all this. But to
> go back to the start. The domain and trademark owner has not abused his
> power ever in the whole lifetime of the project. Some people maybe
> dont trust anyone they have not personally met, but that is unsolvable
> unless you limit the size of the community, there will always be
> community members who never met.
>
>
> >
> > Most importantly though, if one person is in control, it's documented and
> > legally required to be on the public record.
>
> In the past the community preferred not to publically list individuals so
> as to
> make the project and its members harder to attack.
>
> Also everyone in the community knows who owns the domain and trademark.
>

Who owns avcodec.org? As Derek says this domain also matters.

Kieran

>
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Michael Niedermayer
Hi Kyle

On Tue, Nov 12, 2024 at 02:09:25PM -0800, Kyle Swanson wrote:
> Hi,
> 
> Should we consult with someone (a professional) outside of FFmpeg to
> assess the situation and provide a set of recommendations? This would
> be money well spent IMO.

I do have a list of ideas from people (not the quite vocal people in the recent 
threads)
about infra. And i intend to go through that list. (which will take time)
That said, more ideas are certainly welcome. (please send any and
all ideas about improving infra to me and or to ffmpeg-devel, only
nice and polite mails welcome)

A proper review/audit of our infra is not a bad idea. But that should
be done after we ourselfs have reviewed and evaluated suggestions
we have come up with ourselfs.
So we dont waste money on things we can find ourselfs.

thx

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Michael Niedermayer
Hi

On Tue, Nov 12, 2024 at 10:38:09PM +, Kieran Kunhya via ffmpeg-devel wrote:
> On Tue, 12 Nov 2024, 21:03 Michael Niedermayer, 
> wrote:
> 
> > On Tue, Nov 12, 2024 at 05:32:40PM +, Derek Buitenhuis wrote:
> > > On 11/12/2024 5:07 PM, James Almer wrote:
> > > > I personally don't agree with giving the domain/trademark to the
> > general
> > > > assembly, as some have argued. It's just not safe at all.
> > >
> > > Sorry, I didn't necessarily mean giving it ot the GA. I mean having it
> > in a
> > > better state than being held hostage by someone who hasn't been around
> > in 20
> > > years and only talks to one person.
> > >
> >
> > > It essentially gives that one person the ability to hold the whole
> > project hostage.
> >
> > This statement is true for every case where a person holds a trademark or
> > domain
> > Its also true for every legal entity holding them, as said legal entity is
> > generally
> > controlled by one person at some level.
> >
> 
> It's possible to have entities where no single person is in control.

which then have a single person applying their decission. Again a single
person who holds the password for the domain registrar.

One can stack more and more complexity to battle all this. But to
go back to the start. The domain and trademark owner has not abused his
power ever in the whole lifetime of the project. Some people maybe
dont trust anyone they have not personally met, but that is unsolvable
unless you limit the size of the community, there will always be
community members who never met.


> 
> Most importantly though, if one person is in control, it's documented and
> legally required to be on the public record.

In the past the community preferred not to publically list individuals so as to
make the project and its members harder to attack.

Also everyone in the community knows who owns the domain and trademark.

thx

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

During times of universal deceit, telling the truth becomes a
revolutionary act. -- George Orwell


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Kieran Kunhya via ffmpeg-devel
On Tue, 12 Nov 2024, 21:03 Michael Niedermayer, 
wrote:

> On Tue, Nov 12, 2024 at 05:32:40PM +, Derek Buitenhuis wrote:
> > On 11/12/2024 5:07 PM, James Almer wrote:
> > > I personally don't agree with giving the domain/trademark to the
> general
> > > assembly, as some have argued. It's just not safe at all.
> >
> > Sorry, I didn't necessarily mean giving it ot the GA. I mean having it
> in a
> > better state than being held hostage by someone who hasn't been around
> in 20
> > years and only talks to one person.
> >
>
> > It essentially gives that one person the ability to hold the whole
> project hostage.
>
> This statement is true for every case where a person holds a trademark or
> domain
> Its also true for every legal entity holding them, as said legal entity is
> generally
> controlled by one person at some level.
>

It's possible to have entities where no single person is in control.

Most importantly though, if one person is in control, it's documented and
legally required to be on the public record.

Kieran

>
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Michael Niedermayer
On Tue, Nov 12, 2024 at 05:32:40PM +, Derek Buitenhuis wrote:
> On 11/12/2024 5:07 PM, James Almer wrote:
> > I personally don't agree with giving the domain/trademark to the general 
> > assembly, as some have argued. It's just not safe at all.
> 
> Sorry, I didn't necessarily mean giving it ot the GA. I mean having it in a
> better state than being held hostage by someone who hasn't been around in 20
> years and only talks to one person.
> 

> It essentially gives that one person the ability to hold the whole project 
> hostage.

This statement is true for every case where a person holds a trademark or domain
Its also true for every legal entity holding them, as said legal entity is 
generally
controlled by one person at some level.

Thx

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The worst form of inequality is to try to make unequal things equal.
-- Aristotle


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Kyle Swanson
Hi,

Should we consult with someone (a professional) outside of FFmpeg to
assess the situation and provide a set of recommendations? This would
be money well spent IMO.

Thanks,
Kyle
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread compn
On Tue, 12 Nov 2024 16:46:42 +
Derek Buitenhuis  wrote:

> On 11/11/2024 7:34 PM, compn wrote:
> > if your goal is to post old quotes, thats cool.  
> 
> Woosh.

the quotes are from michael in 2015 saying elect a new leader. pretty
sure we never elected one.

feel free to start a vote.
 
> > one of my goals is to make sure that certain developers, who made
> > their own project and then ran it into the ground, arent made as
> > admins again. they had a good run but couldnt even make an
> > announcement that their project had died. the last one out, did not
> > turn out the lights.  
> 
> I appreciate you going mask off.
> 
> I don't consider this at all acceptable behavior.

my personal opinion of who can be root in our project is not acceptable
behavior ? feel free to explain.

i dont think you were an admin there, i wasnt including you in that
list.

although since you are listed as a member
on https://github.com/libav/ , and you asked to be root @ ffmpeg, i'm asking 
you to do an administrative task and either update that github repo or take the 
steps to close it down.

i asked you in person at vdd last week if you met the requirements
to administer ffmpeg (which iirc is just bare minimum "do you have 1+
years of server administration experience"), and you declined to
tell me if you met the requirements. which is fine, no one has to tell
me anything.

not answering simple questions in person, and not updating old
github repositories makes me less inclined to vote for you as an
administrator in the future. in my personal opinion.

-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread compn
On Tue, 12 Nov 2024 17:30:57 +
Derek Buitenhuis  wrote:

> On 11/12/2024 5:05 PM, James Almer wrote:
> > This is not true. I have write access to the website, for example,
> > as do others. And Michael cuts releases because he was given the
> > task, not because nobody else can or want. And nobody prevents
> > anyone from just fetching a git tag instead (Distros like Arch do,
> > after all).  
> 
> It is true, he has acecss to do all of it. Just because others do,
> doesn't mean he can't. I am nto syaing he *will*, I'm using it as an
> example of the issue.

concern trolling?

you're concerned about one developer adding in a backdoor, so the
solution is to add more developers? if you dont trust the 1 how would
you trust the n+1 or the n-1 ? just because they meet you in person and
watch you eat a bunch of mosquitos at a dinner ? thats your level of
security?

its fine, i'm just curious.

(you'd think korea would have superior anti-mosquito technology by now)

-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Rémi Denis-Courmont
Hi,

Le 12 novembre 2024 19:07:56 GMT+02:00, James Almer  a écrit 
:
>On 11/12/2024 1:58 PM, Derek Buitenhuis wrote:
>> Answers aren't sufficient or complete, and you purposely avoid giving 
>> community
>> power over the ifnrastructure, domains, or trademark. It is solely at your 
>> discretion.
>
>I personally don't agree with giving the domain/trademark to the general 
>assembly, as some have argued. It's just not safe at all.

I don't think that Derek meant that literally. The GA is not a legal entity so 
it can't hold a domain name or a trademark in the first place, or for that 
matter physical servers or hosting service contracts. Just like the bank 
account, these things should be held by a non-profit - preferably the same one 
that already has the bank account(s).

I think Derek's point is what the governance should be, not what the legal 
ownership should be.

>I do however think the infrastructure needs clarifications and transparency.
>
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Derek Buitenhuis
On 11/12/2024 5:05 PM, James Almer wrote:
> This is not true. I have write access to the website, for example, as do 
> others. And Michael cuts releases because he was given the task, not 
> because nobody else can or want. And nobody prevents anyone from just 
> fetching a git tag instead (Distros like Arch do, after all).

It is true, he has acecss to do all of it. Just because others do, doesn't
mean he can't. I am nto syaing he *will*, I'm using it as an example of
the issue.

> 
> Also, the xz fiasco is precisely what prompted him to write a script to 
> compare the contents of tarballs with their respective git tags, and a 
> patch for the security page on the website. It's on the ML.

Not discoverable, for sure.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Derek Buitenhuis
On 11/12/2024 5:07 PM, James Almer wrote:
> I personally don't agree with giving the domain/trademark to the general 
> assembly, as some have argued. It's just not safe at all.

Sorry, I didn't necessarily mean giving it ot the GA. I mean having it in a
better state than being held hostage by someone who hasn't been around in 20
years and only talks to one person.

It essentially gives that one person the ability to hold the whole project 
hostage.

> I do however think the infrastructure needs clarifications and transparency.

[...]

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread James Almer

On 11/12/2024 1:58 PM, Derek Buitenhuis wrote:

Answers aren't sufficient or complete, and you purposely avoid giving community
power over the ifnrastructure, domains, or trademark. It is solely at your 
discretion.


I personally don't agree with giving the domain/trademark to the general 
assembly, as some have argued. It's just not safe at all.


I do however think the infrastructure needs clarifications and transparency.



OpenPGP_signature.asc
Description: OpenPGP digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread James Almer

On 11/12/2024 1:58 PM, Derek Buitenhuis wrote:

For example, right now, one person (you) has the ability to cut release, modify
the website, sign the tarballs, etc. It's all you. I'm sure that's great in your
mind, as you deem yourself trustworthy. From our end, nothing stops it from 
being
xz part 2. There is no way to know the tarballs are un-tampered with, other than
trusting you.


This is not true. I have write access to the website, for example, as do 
others. And Michael cuts releases because he was given the task, not 
because nobody else can or want. And nobody prevents anyone from just 
fetching a git tag instead (Distros like Arch do, after all).


Also, the xz fiasco is precisely what prompted him to write a script to 
compare the contents of tarballs with their respective git tags, and a 
patch for the security page on the website. It's on the ML.




OpenPGP_signature.asc
Description: OpenPGP digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Derek Buitenhuis
On 11/11/2024 7:34 PM, compn wrote:
> if your goal is to post old quotes, thats cool.

Woosh.

> one of my goals is to make sure that certain developers, who made their
> own project and then ran it into the ground, arent made as admins
> again. they had a good run but couldnt even make an
> announcement that their project had died. the last one out, did not
> turn out the lights.

I appreciate you going mask off.

I don't consider this at all acceptable behavior.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-12 Thread Derek Buitenhuis
On 11/11/2024 7:33 PM, Michael Niedermayer wrote:
>> This only convinces me further that it this whole setup ins't for for 
>> purpose,
>> and is being run by people who have no concept of actual security. This is
>> totally insane.

Honestly, this is so exhausting and painful, I dread responding. I know you 
cannot
be convinced, per previous mails.

Probably why most others stay silent on the list but complain in person, lest 
they
draw the insanity on themselves.

> So "publically listing every admins and server owner (where its not the 
> company)
> name" is the normal and sane thing and not listing them publically is totally 
> insane ?

Yes.

> Do i understand this correctly?

Doubtful.

> If so, then iam sure that every security related company lists these 
> publically?
> Likewise the FBI, financial institutions, and so forth.

Strawman.

> These are organisations where security is very important, but none of them
> lists server owners and admins publically. And iam not even sure what they
> would do if you called them and asked, but they probably would ask you for
> your name, intend and at least internally report this without awnsering your
> question.

None of these things are community run open source projects, and your 
comparisons
are nuts. 

Even if you don't think they should be publically known (which I disagree 
with), the
should be known to the project itself outside of your Michael-approved cabal.

> But lets go back the original question
> 1. what exact information do you ask for ?

Complete list of infra, where it is hosted, who has what access (physical and 
remote/software).

This is what VideoLAN does. Yes, I know you are paranoid as hell about a 
"VideoLAN/j-b takeover",
which is... well, others can judge.

> 2. why ?

See previous endless mails and discussion.

> 3. what do you intend to do with this information ?

This info is pertinent for a lot of security and stabiltiy reasons.

For example, right now, one person (you) has the ability to cut release, modify
the website, sign the tarballs, etc. It's all you. I'm sure that's great in your
mind, as you deem yourself trustworthy. From our end, nothing stops it from 
being
xz part 2. There is no way to know the tarballs are un-tampered with, other than
trusting you.

I'm sure this makes perfect sense if you agree with the whole "michael, as 
person
nobody has ever met, and nobody agreed to give absolute power, is trustworthy
and infallable" thing, but I sure don't. It's a fiefdom that you rule.

> 4. The names of the developers providing the infra have been provided before, 
> did you look through past discussion?

The list is not complete even back then, and it was not documented since.

> 5. Do you ask these questions to every project or just FFmpeg ?
>(i have been told these questions only happen toward FFmpeg, can you
>explain why ?)

Every serious and large open source project has this responsibiltiy. We're not
some rag tag show, we're a project used by every big company on Earth.

> Last years i tried to simply awnser all the questions, but that didnt make
> anyone happy. I must be missing something.

Answers aren't sufficient or complete, and you purposely avoid giving community
power over the ifnrastructure, domains, or trademark. It is solely at your 
discretion.

> I mean we can go through the whole again if people want but I really
> think most developers would prefer to work on the code and project instead.

Yes, I suppose your banking on the silence == complicity aspect of this.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread compn
On Mon, 11 Nov 2024 18:17:11 +
Kieran Kunhya via ffmpeg-devel  wrote:

> On Mon, Nov 11, 2024 at 5:31 PM compn  wrote:
> >
> > what is your goal?
> >
> > thanks
> > -compn  
> 
> Here are some quotes presented without comment:

if your goal is to post old quotes, thats cool.

one of my goals is to make sure that certain developers, who made their
own project and then ran it into the ground, arent made as admins
again. they had a good run but couldnt even make an
announcement that their project had died. the last one out, did not
turn out the lights.

that to me is insane. that project was community run, with absolute
voting made on every decision. what went wrong there? all i see is
Keiran's last
mail https://www.mail-archive.com/libav-devel@libav.org/msg85112.html
and the community ran github has not been updated to say its status
either https://github.com/libav/libav

thats why i'm asking you and derek what your goals are. is your goal to
turn ffmpeg into a community ran admin with lots of voting? well
didnt that other project (that shall not be named) do exactly that? and
what happened to them? its gone? gone. dead. 

how do you keep a community ran project going if there is no paid
organization behind it? and who turns out the lights at the end?

i think that would be a good goal for derek and the
others here to do. figure out how to turn off the old
github https://github.com/libav/libav . turn out the lights.

greets
-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread Michael Niedermayer
Hi

On Mon, Nov 11, 2024 at 05:00:42PM +, Derek Buitenhuis wrote:
> On 11/11/2024 4:42 PM, Michael Niedermayer wrote:
> > Publically listing which developer provides which part of the DNS infra
> > makes it easier to attack not harder.
> > That said, i suspect who provides what was mentioned in the past already
> 
> It is already publically available info to anyone who can look up an IP.

Then what is this discussion about? (If all peoples names can be found easily)


> 
> > If an attacker doesnt know who provides a server then the attacker can only
> > attack the server directly via its name and IP.
> > If an attacker knows who owns the server then he can perform a wide
> > range of additional attacks. For example
> > Impersonating that developer towards the server hoster, or if the attacker
> > can figure out the phone number of the developer then sim swaping becomes
> > possible. From that various other accounts can then be taken over and
> > Once an attacker is in control of phone and email of someone further
> > account compromises become increasingly easy.
> > 
> > I do not think we would be doing FFmpeg a service or improve security
> > by listing everyones names in a public file. Even if most of this
> > probably was said publically already, having it in one single place
> > makes it even easier for an attacker
> 
> This only convinces me further that it this whole setup ins't for for purpose,
> and is being run by people who have no concept of actual security. This is
> totally insane.

So "publically listing every admins and server owner (where its not the company)
name" is the normal and sane thing and not listing them publically is totally 
insane ?

Do i understand this correctly?

If so, then iam sure that every security related company lists these publically?
Likewise the FBI, financial institutions, and so forth.

These are organisations where security is very important, but none of them
lists server owners and admins publically. And iam not even sure what they
would do if you called them and asked, but they probably would ask you for
your name, intend and at least internally report this without awnsering your
question.

But lets go back the original question
1. what exact information do you ask for ?
2. why ?
3. what do you intend to do with this information ?
4. The names of the developers providing the infra have been provided before, 
did you look through past discussion?
5. Do you ask these questions to every project or just FFmpeg ?
   (i have been told these questions only happen toward FFmpeg, can you
   explain why ?)

Last years i tried to simply awnser all the questions, but that didnt make
anyone happy. I must be missing something.

I mean we can go through the whole again if people want but I really
think most developers would prefer to work on the code and project instead.

thx

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread Kieran Kunhya via ffmpeg-devel
On Mon, Nov 11, 2024 at 5:31 PM compn  wrote:
>
> On Mon, 11 Nov 2024 17:00:42 +
> Derek Buitenhuis  wrote:
>
> > This only convinces me further that it this whole setup ins't for for
> > purpose, and is being run by people who have no concept of actual
> > security. This is totally insane.
>
> I think it would be wiser to point to other administration of other
> projects , especially ones that list infrastructure in some public
> facing document.
>
> rather than
>
> 1. asking for a list of developers with write access
> 2. asking for a list of admins
> 3. when finding some unused developer or admin account, call the whole
> thing insane and blame the current admin
> 4. point at the lack of x, y and z as evidence the current admin is bad
>
> if your goal is to change ffmpeg admins, then just say so.
>
> if your goal is to take maintaining of ffservers so that michael can
> focus on code instead of admin, then just say that.
>
> if your goal is to have the GA run things, then why not have the GA
> vote on the plans to run ffmpeg? the GA can vote on admins, they can
> vote on how to fund the server, they can vote on if they want bulgaria
> to host ffmpeg, they can vote on all of these things and prepare what
> the GA wants into a plan. and then the GA can present the plan and vote
> yay or nay on the plan.
>
> i tried to ask the developers at vdd about this in the meeting but its
> possible that i didnt phrase it correctly. i apologize for that. i
> asked jb and jb said that videolan is one group that can host ffmpeg,
> at least. so thats an option for the GA to consider, should they not
> like our bulgarian host.
>
> if your goal is to endlessly argue , well thats ok too.
>
> what is your goal?
>
> thanks
> -compn

Here are some quotes presented without comment:

"FFmpeg belongs to the FFmpeg developers and the FFmpeg community!"

"what about root, git admin roles, ...?
Well iam happy to pass them on to whoever the community chooses and
trusts. But please be very carefull who you choose!
until someone else is choosen i can continue doing the basic things
like security updates and opening git accounts, aka theres no urgency
in choosing someone, rather please choose wise than quick."

"FFmpeg is yours, that is everyones. try your best to
make FFmpeg be the best.
Post patches, review patches, apply patches, discuss code and design.
Report bugs, bisect, debug and fix bugs, add features, help users.
Do friendly merges, and if you like do hostile merges.
Its all up to you now!"

Regards,
Kieran
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread compn
On Mon, 11 Nov 2024 17:00:42 +
Derek Buitenhuis  wrote:

> This only convinces me further that it this whole setup ins't for for
> purpose, and is being run by people who have no concept of actual
> security. This is totally insane.

I think it would be wiser to point to other administration of other
projects , especially ones that list infrastructure in some public
facing document.

rather than 

1. asking for a list of developers with write access
2. asking for a list of admins
3. when finding some unused developer or admin account, call the whole
thing insane and blame the current admin
4. point at the lack of x, y and z as evidence the current admin is bad

if your goal is to change ffmpeg admins, then just say so.

if your goal is to take maintaining of ffservers so that michael can
focus on code instead of admin, then just say that.

if your goal is to have the GA run things, then why not have the GA
vote on the plans to run ffmpeg? the GA can vote on admins, they can
vote on how to fund the server, they can vote on if they want bulgaria
to host ffmpeg, they can vote on all of these things and prepare what
the GA wants into a plan. and then the GA can present the plan and vote
yay or nay on the plan.

i tried to ask the developers at vdd about this in the meeting but its
possible that i didnt phrase it correctly. i apologize for that. i
asked jb and jb said that videolan is one group that can host ffmpeg,
at least. so thats an option for the GA to consider, should they not
like our bulgarian host.

if your goal is to endlessly argue , well thats ok too.

what is your goal?

thanks
-compn
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread Derek Buitenhuis
On 11/11/2024 4:42 PM, Michael Niedermayer wrote:
> Publically listing which developer provides which part of the DNS infra
> makes it easier to attack not harder.
> That said, i suspect who provides what was mentioned in the past already

It is already publically available info to anyone who can look up an IP.

> If an attacker doesnt know who provides a server then the attacker can only
> attack the server directly via its name and IP.
> If an attacker knows who owns the server then he can perform a wide
> range of additional attacks. For example
> Impersonating that developer towards the server hoster, or if the attacker
> can figure out the phone number of the developer then sim swaping becomes
> possible. From that various other accounts can then be taken over and
> Once an attacker is in control of phone and email of someone further
> account compromises become increasingly easy.
> 
> I do not think we would be doing FFmpeg a service or improve security
> by listing everyones names in a public file. Even if most of this
> probably was said publically already, having it in one single place
> makes it even easier for an attacker

This only convinces me further that it this whole setup ins't for for purpose,
and is being run by people who have no concept of actual security. This is
totally insane.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread Rémi Denis-Courmont


Le 11 novembre 2024 18:42:37 GMT+02:00, Michael Niedermayer 
 a écrit :
>On Mon, Nov 11, 2024 at 10:02:27AM +, Derek Buitenhuis wrote:
>> On 11/10/2024 2:59 PM, Michael Niedermayer wrote:
>> > Its there since a long time:
>> > https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt
>> 
>> [...]
>> 
>> > If something is missing, its not going to improve on its own.
>> > Someone will have to say _what_ is missing and work toward filling it in.
>> 
>> Pretty hard to list infra you don't know exists.
>> 
>> For example, I only recently noticed ffmpeg.org goes through avcodec.org DNS:
>> 
>> ns1.avcodec.org - telepoint.bg
>> ns2.avcodec.org - KIFU (Government Info Tech Development Agency)
>> ns3.avcodec.org - CDLAN SpA
>> 
>> Who owns avcodec.org? Who runs these DNS servers? Who has access? Who has 
>> contacts?
>> 
>> It's a supply chain attack risk - you could hijack ffmpeg.org per IP or Geo.
>
>Publically listing which developer provides which part of the DNS infra
>makes it easier to attack not harder.

That's pretty pathetic excuse, TBH. All it does is make it harder to find whom 
to contact about whatever issue, and whose stale credentials to purge from what 
service.

It also removes accountability, which is pretty much never a good thing overall.

And lastly, if the security of a piece of infrastructure is contingent on not 
knowing who has access to it, then that's a major problem of its own anyway.
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread Michael Niedermayer
On Mon, Nov 11, 2024 at 10:02:27AM +, Derek Buitenhuis wrote:
> On 11/10/2024 2:59 PM, Michael Niedermayer wrote:
> > Its there since a long time:
> > https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt
> 
> [...]
> 
> > If something is missing, its not going to improve on its own.
> > Someone will have to say _what_ is missing and work toward filling it in.
> 
> Pretty hard to list infra you don't know exists.
> 
> For example, I only recently noticed ffmpeg.org goes through avcodec.org DNS:
> 
> ns1.avcodec.org - telepoint.bg
> ns2.avcodec.org - KIFU (Government Info Tech Development Agency)
> ns3.avcodec.org - CDLAN SpA
> 
> Who owns avcodec.org? Who runs these DNS servers? Who has access? Who has 
> contacts?
> 
> It's a supply chain attack risk - you could hijack ffmpeg.org per IP or Geo.

Publically listing which developer provides which part of the DNS infra
makes it easier to attack not harder.
That said, i suspect who provides what was mentioned in the past already

If an attacker doesnt know who provides a server then the attacker can only
attack the server directly via its name and IP.
If an attacker knows who owns the server then he can perform a wide
range of additional attacks. For example
Impersonating that developer towards the server hoster, or if the attacker
can figure out the phone number of the developer then sim swaping becomes
possible. From that various other accounts can then be taken over and
Once an attacker is in control of phone and email of someone further
account compromises become increasingly easy.

I do not think we would be doing FFmpeg a service or improve security
by listing everyones names in a public file. Even if most of this
probably was said publically already, having it in one single place
makes it even easier for an attacker

thx

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-11 Thread Derek Buitenhuis
On 11/10/2024 2:59 PM, Michael Niedermayer wrote:
> Its there since a long time:
> https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt

[...]

> If something is missing, its not going to improve on its own.
> Someone will have to say _what_ is missing and work toward filling it in.

Pretty hard to list infra you don't know exists.

For example, I only recently noticed ffmpeg.org goes through avcodec.org DNS:

ns1.avcodec.org - telepoint.bg
ns2.avcodec.org - KIFU (Government Info Tech Development Agency)
ns3.avcodec.org - CDLAN SpA

Who owns avcodec.org? Who runs these DNS servers? Who has access? Who has 
contacts?

It's a supply chain attack risk - you could hijack ffmpeg.org per IP or Geo.

And this is just one example.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-10 Thread Michael Niedermayer
Hi all

On Sat, Nov 09, 2024 at 05:18:08PM +0100, Michael Niedermayer wrote:
> Hi all
> 
> Should we disable git accounts for developers who have not been active since
> a long time (like 10 years) ?
> 
> (if these developers come back, the account would then be enabled again)
> but disabling such accounts may improve security (lots of "if" here but
> assuming they loose their key, assuming whoever gets hold of the key
> has interrest and ability to attack ffmpeg and and and, the risk here
> is likely low but not 0)

I count currently 127 people with git write access
above suggestion would disable around 33 accounts.

I cannot show the list because of GDPR
but the remaining 127-33 accounts are on this list:
git log  --since 10.years --first-parent --pretty=fuller | grep '^Commit:' | 
sort | uniq

Note that above command will not produce a clean list. It requires manual
cleanup, "Commit:" is just a text field and not everything thats in that field
has or had a write account. But I cannot post peoples names or email addressed

If i hear noone objecting to this (and there are already multiple people
in favor) then i will disable the 33 accounts in a few days

Thx

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato 


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-10 Thread Michael Niedermayer
On Sun, Nov 10, 2024 at 02:42:18PM +, Derek Buitenhuis wrote:
> On 11/9/2024 6:04 PM, Rémi Denis-Courmont wrote:
> > What most people are concerned about right now is the incomplete 
> > documentation 
> > of any and all credentials - not just git write access - and more generally 
> > the lack of transparency. Once that is sorted out, we can start arguing 
> > about 
> > what should be revoked.
> 
> +1
> 
> Not just an incomplete list of credentials, but I don't think we even have a
> complete list of what infra exists within the project.

Its there since a long time:
https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt

If something is missing, its not going to improve on its own.
Someone will have to say _what_ is missing and work toward filling it in.

thx

[...]

-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Some people wanted to paint the bikeshed green, some blue and some pink.
People argued and fought, when they finally agreed, only rust was left.


signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-10 Thread Derek Buitenhuis
On 11/9/2024 6:04 PM, Rémi Denis-Courmont wrote:
> What most people are concerned about right now is the incomplete 
> documentation 
> of any and all credentials - not just git write access - and more generally 
> the lack of transparency. Once that is sorted out, we can start arguing about 
> what should be revoked.

+1

Not just an incomplete list of credentials, but I don't think we even have a
complete list of what infra exists within the project.

- Derek
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-09 Thread myp...@gmail.com
On Sun, Nov 10, 2024 at 12:18 AM Michael Niedermayer
 wrote:
>
> Hi all
>
> Should we disable git accounts for developers who have not been active since
> a long time (like 10 years) ?
>
> (if these developers come back, the account would then be enabled again)
> but disabling such accounts may improve security (lots of "if" here but
> assuming they loose their key, assuming whoever gets hold of the key
> has interrest and ability to attack ffmpeg and and and, the risk here
> is likely low but not 0)
>
> thx
>
I agree with this operation
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-09 Thread Rémi Denis-Courmont
Le lauantaina 9. marraskuuta 2024, 18.18.08 EET Michael Niedermayer a écrit :
> Hi all
> 
> Should we disable git accounts for developers who have not been active since
> a long time (like 10 years) ?

Yes but git is probably the least dangerous of credentials to keep stale. A 
backdoor getting pushed with a stale and stolen SSH private key would be 
noticed and rectified in no time.

What most people are concerned about right now is the incomplete documentation 
of any and all credentials - not just git write access - and more generally 
the lack of transparency. Once that is sorted out, we can start arguing about 
what should be revoked.

-- 
雷米‧德尼-库尔蒙
http://www.remlab.net/



___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


Re: [FFmpeg-devel] [RFC] dormant git accounts

2024-11-09 Thread James Almer

On 11/9/2024 1:18 PM, Michael Niedermayer wrote:

Hi all

Should we disable git accounts for developers who have not been active since
a long time (like 10 years) ?

(if these developers come back, the account would then be enabled again)
but disabling such accounts may improve security (lots of "if" here but
assuming they loose their key, assuming whoever gets hold of the key
has interrest and ability to attack ffmpeg and and and, the risk here
is likely low but not 0)


Yes.



OpenPGP_signature.asc
Description: OpenPGP digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".