How are the download locations vetted?

[fluffy-critter]

Looking at the source it appears that the downloader is pulling the ffmpeg binary from a few different disparate locations. What work goes into ensuring that those locations remain stable and safe? I'm not super thrilled with the idea that any one of those sites could be compromised and start distributing malware to users of the program.

There's also the potential for version compatibility issues based on differing update timings and so on.

Would it be possible for safe, vetted versions of the binaries to be distributed within the pyffmpeg package wheels instead, or at least for the package maintainer to maintain some basic static file hosting or using the GitHub releases mechanism to distribute the binaries?

[amoh-godwin]

@fluffy-critter I understand your worry, but we can be sure on this one because those sites are actually listed on FFmpeg's download page here.

[fluffy-critter]

It's good to know that these are officially-blessed sources, but that still doesn't really address the underlying concerns. Supply-chain attacks are getting increasingly common in opensource these days.

[amoh-godwin]

Well then I guess we can make it a milestone and hope that one day we will be building our own binaries from source. I will create an issue and a milestone for it.