[EricV]

@jjd-uk

I see zero positive contribution from you to this thread either.

[FernetMenta]

Note that one of the first things I intend to do after 13.0 release is to upgrade ffmpeg. Means to move it to depends which allows pulling a dedicated version directly from ffmpeg repo.

[davilla]

This thread is just silly, there are no known FFMpeg exploits in the the wild, crackers/hackers have much better targets.

All the critical security fixes were from Google fuzzing FFMpeg. For those unfamiliar with the term 'fuzzing', it means shoving crap where it don't belong Buffer overflows, etc. Now this has made FFMpeg more robust and less crashy™ which is good but really, just who cares... ?

[Martijn]

[EricV]

Note that one of the first things I intend to do after 13.0 release is to upgrade ffmpeg. Means to move it to depends which allows pulling a dedicated version directly from ffmpeg repo.

On more post and I shut up.

@FernetMenta
My problem is not the code being located inside ffmpeg or pulled from ffmpeg git with a particular revision with your own set of patch applied on top of it. My problem is the frequency in which you change the git target revision and how you make sure the patch set size decrease over time. If you do it immediately after gotham but do not change for twelve months, the story will be identical for next release.

@davilla
I know what fuzzing is. Its a technic to discover various pre-existing bugs that may be leveraged by attackers that would kraft their own malformed file to triggers it. Attack via photo browsing, malformated flash do exist for real. We have seen some.

[un1versal]

Pike said it best http://forum.xbmc.org/showthread.php?tid...pid1573045 shame one cant quote a post from a closed thread though I see why you cant.

But I like the old adage "A picture is worth a thousand words"... and feeling a bit like Martinjn above....

[davilla]

Sure, I've seen some too and it's the primary way that iOS jailbreaks are discovered.

My point is, I can craft a malicious h264 that can crash FFMpeg doing very obscure operations that unless you understand h264, you will not have a clue what is going on . Is this a real security issue or just a pain in the ass issue ?

[Ned Scott]

EricV, you have a few valid points, but they're all blown away by acting like a jackass. I'm not saying this to insult you, I'm saying this to help you. Your big stinkfest is a major reason they're considering disabling the option to compile with external ffmpeg. Yes, there have been other users and issues of "chasing ghosts" and such, but you are the big huge straw that is beating the horse to death.

The worse thing you can possibly do is push this issue. It doesn't mean you are right or wrong, it doesn't mean Team XBMC devs are right or wrong, it just means people are frustrated at your actions, and it just needs to stop. Please, please, let it stop.

[Martijn]

During the past months we had quite a lot issue reports related to external ffmpeg/libav. Those team members who do Linux support have decided to kill the switch for the time being.

The over all Team is undecided on that issue, however.

But the Linux guys need to maintain it and those should have final say on that. They have the support burden with all those distros out there

[Ned Scott]

During the past months we had quite a lot issue reports related to external ffmpeg/libav. Those team members who do Linux support have decided to kill the switch for the time being.

The over all Team is undecided on that issue, however.

But the Linux guys need to maintain it and those should have final say on that. They have the support burden with all those distros out there

I'm not going to let you pull me into an argument in public. What I said is a simply a matter of fact. The Team is divided on this and still discussing it.

[Martijn]

sure, sure

[EricV]

sure, sure

Just for everyone to know, as a result of this discussion and the comment I made on the original pull request, I noticed I have been banned from github without being officially told. This is a rather poor way of trying to make things progress and is just making me eager to publicly warn people about unfixed security problems when gotham will be released.

In addition, banning a github account from a project is useless as I can create how many aliases for mail and github account I want.

[fritsch]

Okay, that sounds sane. Let's start to make a banner. Cause a banner tells more than 10K words.

[FernetMenta]

Eric, this is not correct. You can post your opinion here on the forum and nobody will ban you for doing this. Github is a different story because every team member gets an email after you have left a comment. We use Github for discussion on code only.

Please note the posts here on the form have much more visibility to the public than Gihub code discussions. Posting on Github you only reach team XBMC.

[EricV]

Eric, this is not correct. You can post your opinion here on the forum and nobody will ban you for doing this. Github is a different story because every team member gets an email after you have left a comment. We use Github for discussion on code only.

Please note the posts here on the form have much more visibility to the public than Gihub code discussions. Posting on Github you only reach team XBMC.

Right, however this has been done quite some time after the original post I guess. Do you find the comment I intended to post and posted via another account usefull or useless? The code for fixing the popen problem should have been still on trac (but I can't manage to find it as the "get bug report I submitted" only reports garbage proably the original database has been partialy lost) as and like you I do no really care as I do not use it anymore. It was only for helping because I did some work on it like you did but found that as nvidia fixed the drivers it was no more necessary.