2009/8/2 Marco Schuster marco@harddisk.is-a-geek.org:
Really? If they simply don't publish the source (and the binaries), then the only possible way for an attacker is fuzzing... and that can take long time.
I believe they use ffmpeg, like everyone does. The ffmpeg code has had people kicking it for quite a while. Transcoding as a given Unix user with not many powers is reasonable isolation.
- d.