Security

Security of released binaries

Binaries published in the Releases section of GitHub are the output of a building process that is fully visible, prevents hidden changes or external interferences in published artifacts, and allows validation by third parties:

During every release, the Release workflow is triggered on GitHub.
The release workflow pulls the source code and builds binaries.
The release workflow computes SHA256 checksums of binaries and publishes them to a public blockchain (Sigstore Public Good Instance) through GitHub Attestations.
Checksums and binaries are published on the Release page.
Binaries can be downloaded by users.

It is possible to verify that SHA256 checksums of binaries correspond to the one published on Sigstore by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

It is possible to verify that binaries have not been altered during transfer from GitHub to the final destination by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Reporting vulnerabilities

Vulnerabilities can be reported privately by using the Security Advisory feature of GitHub.

Security

Security of released binaries

Reporting vulnerabilities

Previous page

Next page