…he had to keep explaining to his bosses that “They are not a vendor, there is no NDA, we have no leverage, your VP has refused to help fund them, and they could kill three major product lines tomorrow with an email.
(Emphasis mine)
Just chef’s kiss, I love it.
Also, seems like a good time for one of my favorite relevant XKCD’s.
Seriously. They sent in a bug from a LucasArts game using a codec nobody uses anymore. You think that YouTube, Netflix, Instagram, anything with video, etc. would be a little more thankful considering their business is based on using FOSS codecs.
Corpos are all parasites
Corporate welfare for them, austerity for you. Tax cuts for them, sorry not enough to fund social security we’ll have to raise retirement age or cut benefits.
Twitter must be the worst platform to hold discussions on ever conceived, even before it turned into a fascist echo chamber.
Microblogging has always sucked IMO. It’s always been more geared towards shouting your opinion and leaving, and it actively discourages any discussion by hiding reply threads and making it a nightmare to follow. Most people aren’t ready for this take, though…
Bluesky has reply threads, but in general I agree
The whole idea behind Twitter (character limits etc.) was obviously a bad idea from the moment texting became obsolete thanks to IM services.
You mean because Twitter is an SMS-based messaging app?.. The character limits are arbitrary, not a technical limitation. Which is why they doubled them at one point, I believe.
The limits were meant to act as a micro-blogging enforcement measure, for micro attention spans.
Actually, no, the initial limit was precisely because of SMS character limits - Twitter in the first few years had an SMS gateway where you could send a text and it would be posted under your account.
Obviously later on it was an arbitrarily kept limit, but the limit itself, even doubled, makes it a horrible platform for any kind of debate.
I see… TIL, thanks.
That’s like saying that a battleaxe is too unwieldy for cooking. Yes you are correct, but why the hell are you using a battleaxe for cooking?
Use the right tools for the right job.
I think that’s exactly what he’s saying.
Many in the FFmpeg community argue, with reason, that it is unreasonable for a trillion-dollar corporation like Google, which heavily relies on FFmpeg in its products, to shift the workload of fixing vulnerabilities to unpaid volunteers.
Google may once have felt an obligation to support the open source software they rely on, but that day’s long gone. They have become nothing more than a skeleton of distilled capitalism, shedding any pretense of being of benefit to society along with their “Don’t be evil” motto.
Google’s behavior makes perfect sense with the understanding that every single move, no matter how small, is only about generating more revenue.
Why would Google fund Final Fantasy mpreg writers?
Because its the only one that supports rendering the opening cutscene from a decades old lucas arts game.
You gotta diversify if you want to survive today’s market.
Well they didn’t have luck with the cloud with Stadia, so I guess they decided to try Cloud instead
Capitalism strikes again
They’re bug reports: no one needs to fix them. This problem is solved easily enough by letting the chips fall.
If companies want them fixed badly enough, they can send bug fixes, which is much cheaper than the alternative (paying more engineers to develop & maintain non-open alternatives). Those companies have at least as much interest as anyone to keep that software maintained & secure.
The position of the FFmpeg X account is that somehow disclosing vulnerabilities is a bad thing.
The truth is never a bad thing. They don’t need to care. A bug is a bug: better to know than not.
Security vulnerabilities are different, especially when they also put a 90 day disclosure period in it which is more severe for a security exploit.
That disclosure bit, not in the article, is really what tipped this all over the edge. If it was just hey, here’s a bug then its really just flooding the backlog for the maintainers who need to triage that. Disclosures are often used so people are aware that they’re using libraries that the maintainer has refused to patch, but in this case its really just holding the maintainers hostage so they end up wasting their time going through irrelevant issues.
Also, many of these libraries get security audits to make sure they are actually triaging and working through their backlogs, so could lose actual funding they get.
Ideally, they would either use their supposedly capable and powerful AI code gen to just make a fix and send over a patch, or at least use LLMs on their own end to triage the issues and only send over the most sever X periodically.
Security vulnerabilities are different
No, it’s still open source work, completely voluntary in the free world.
Disclosures are often used so people are aware that they’re using libraries that the maintainer has refused to patch
No, they merely tell reality: an unresolved security issue was found. How anyone handles that is their business. There is no inherent duty.
People who would rather write a fix than write & maintain their own daunting library will send a fix.
could lose actual funding they get
If someone’s getting paid, and it’s not worth the work, then that is also their business. It’s still open source. If the solution saves more effort than doing it yourself, then the people who need it won’t just let it all go to waste.
This is entirely a social issue of managing & rebuffing unrealistic expectations. It’s perfectly valid to set boundaries, remind folks beggars can’t be choosers, and tell them pitching in gets more done.
The truth can absolutely be a bad thing. If google reports an important vulnerability, then buries it in CVE slop for 90 days, and publicly announces details of the important vulnerability that hasn’t been fixed yet, it would be worse than if they had never reported it
The 90-day publishing window is tough when OSS projects are getting buried in AI slop reports
Then Google would have to put out of the fire of that vulnerability in their dependent software.
Not disclosing a vulnerability doesn’t stop attackers from exploiting it. A report simply indicates someone who noticed bothered to report it.
The problem is the vulnerability. False urgency is nothing more: Google’s urgency isn’t the maintainer’s & the maintainers don’t need to “meet the window”. Companies will be left with their pants on fire if they don’t act, too, but it will cost them more. Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.
Kind of, in this case its a vulnerability in a portion of code that you need to compile with special flags to even include in the library (ie its not in the default build, you need to rebuild it and opt-in) so its super low impact and just ends up giving the maintainers excessive paperwork.
Again, ignoring/postponing is an option. At work, we’d just move that to the backlog of shit we may never touch: having it there is good for tracking the issue & gathering notes on our thoughts regarding it, which saves time approaching it like new each time it comes up. It’s no different for open source maintainers. Marking an item as won’t fix, deferred, or help wanted or closing redundant items isn’t much paperwork.
Again, the objective reality is the defect exists, and that reality doesn’t change with our awareness of that fact: it’s better to know & track for planning even if the plan is to do nothing.
An issue I’ve seen brought up in the open source community is that they have audits that look at the number of untriaged issues and time to resolve serious issues that their funding depends on.
I’m in software, but not open source, so it seems like they don’t have someone aligned with their team who they can sit down and say “either we need more resources, cut scope for new features, or accept quality / security issues coming up” to, its kind of this weird game of politics they end up needing to play to get any kind of funding for full time maintainers.
That’s the main reason they can’t just ignore issues that come up in their backlog, especially security ones.
I dunno who bothers to file bug reports with them. They’ll gaslight then get removed if that doesn’t work, and only then will they admit under sufferance that there may well be a flaw in their beautiful sexy code.
what bugs have you reported to FFmpeg recently?
It’s the other way around, Captain Reading Comprehension. Google is sending bug reports to FFmpeg.
They may have meant ffmpeg ia hard to work with.
That sounds like what they’re saying, but they don’t provide any reason for us to believe them
