Google, Microsoft, Apple, Facebook, Amazon, or another one of the big software development companies could easily fork ffmpeg itself, fix the open CVEs, provide their own (likely incompatible) features, and become the new standard - leaving the original developers out in the cold. Google did this with Blink (forked from WebKit, which itself was forked from KHTML). They took a fork of a KDE backed project, put it into what is now the #1 browser in the world, allowed Microsoft, Opera, and others to then use it in their own browsers — and now Google owns the entire narrative and development direction for the engine (in parallel to, and controlled to a lesser extent by Apple which maintains WebKit). The original KHTML developers really couldn’t keep up, and stopped maintaining KHTML back in 2016 (with full deprecation in 2023).

That is the risk for the original developers here. You’re right in that there isn’t really anything out there that can do what ffmpeg does — but if the developers don’t keep up on CVEs then organizations are going to look for new maintainers — and a year or two from now everyone will be using the Google/Microsoft/Apple/Facebook renamed version of ffmpeg instead.

That’s the shitty truth of how these things work. We’ve seen these same actors do it before.

Yaz

Look — I’m a developer. I get it. I’m personally all for having organizations do more to support the OSS they rely on. But the people in the C-suite are more worried about organizational reputation and losing money to lawsuits. If a piece of software they rely on has a known critical CVE that allows for remote code execution and someone breaks in and steals customer data — that software either needs to be fixed, or it needs to be scrapped. Those are the choices. Our customers in the EU are allowed to request SBOMs of everything we use and pass it through their own security validation software — and if they find sev critical CVEs in software we’re using there is going to be hell to pay. And the people in the C-suite can’t abide that level of risk.

Most software development companies (outside some of the biggest ones) don’t really have the kind of expertise in house to supply patches to something as complex as ffmpeg. But a company like Google has the staff with sufficient experience in this area that they could fork the project, fix the issues, and redistribute it as their own solution to the problem — and now Google is driving ffmpeg development. Organizations that need a security-guaranteed version will simply switch to Google’s version, which will likely slowly become incompatible with the original. They’ve done it before — Chrome was Google’s fork of WebKit, huge swaths of users flocked to Chrome, and now Google has over the years made enough changes that their patches often aren’t compatible with WebKit (and, of course, WebKit itself did similar when they forked KHTML).

Now forking like this is great for the community, but it can be tough on individual developers who see their work co-opted and then sidelined by massive corporations. And that’s really why the ffmpeg developers need to be very careful about ignoring CVEs like this. They do so at their own peril, as anyone can fork their code, fix the issues, and slowly make it incompatible with the original. And a big enough organization can ensure they’re fork becomes the new standard, leaving the original developers out in the cold.

Yaz

That, or your project gets sidelined. Which is where the danger lies.

I work for a big multinational software company that uses a lot of Open Source Software. We have a security office that audits all of our products several times a year. If any piece of our stack shows any open CVEs we have a fixed amount of time to fix the issue, with the amount of time varying from a few days (for CRITICAL severity issues) to roughly half a year for the lowest severity issues. A lack of a fix for a published CVE isn’t an excuse for not fixing the issue on our end — the software still has a security flaw in it, and the organization is so incredible security averse (thanks in part to having contacts in the defence industry) that they don’t want to risk expensive lawsuits and the loss of reputation if a vulnerability is exploited.

A lot of bigger organizations now work this way. We’ve all seen what has happened to organizations that have had significantly security breaches, and it’s not pretty. Our customers are big corporations and government entities — and if they even sniff a risk there are going to be problems. So if there is an unpatched exploit, we’re expected to either switch to something comparable, or DIY a solution (either replacing the library in question, or potentially patching it ourselves).

If ffmpeg allows known and published vulnerabilities to languish, the risk here is that organizations that use their code will simply stop using it and will look for other solutions. That’s a tough pill for an Open Source Software developer to swallow, especially when they make it as big and important as ffmpeg. You might wind up in a situation where an entity like Google forks your code and takes ownership, and eventually gets everyone to migrate to using their version instead (like what they did with WebKit to Chrome), leaving you sidelines. Or maybe someone else jumps in with a compatible solution that works well enough for enough users that they switch to that instead.

Now in an ideal world, the Google’s of this world would not only submit a CVE but would also submit a patch. Having been an OSS developer myself I’ve always encouraged my staff if they find a bug in a piece of software we use to file a bug report and ideally a patch if they know how to patch the issue correctly — but I know that is hardly universal within our organization, and probably even less so elsewhere.

TL;DR: a lot of OSS success relies on having lots of users, or at least some big and important users. But you risk losing those if you leave CVE’s open for too long, as company policies may require scrapping software with unfixed CVEs. That loss of users and reputation is dangerous for an OSS project — it’s how projects get supplanted, either by a fork or by a new (and similar) project.

Yaz

Multi planetary species only exist in science fiction stories.
Send robots.
And fix things here that require humans.

Itâ(TM)s about how human beings react to new shiny things. I would ballpark science fiction as being about 50% cautionary tales and 50% hopeful inspiration. If you miss those lessons youâ(TM)re going to focus on the shiny things. Kurt Vonnegut wrote about ice nine because his brother Bernard was helping figure out how to freeze clouds and create weather. A fable about how scientists donâ(TM)t always look at the full effects of what they create. If you want the phasers, but donâ(TM)t want the society it may not go well.

The release speaks of Starship capabilities in the present tense.
They have yet to complete a single orbit.
They have yet to refuel in space.
They have yet to tour a habitable version of Starship.
The Crew Dragon spacewalk was a dog head out the window.
They have yet to land Starship upright tail first on land.
Also sounds like Hadden from Contact - Why build one when you can have two at twice the price?
The parallel efforts sounds good, but what happens when resources get scarce?
Does he short his vehicles or NASA vehicles if parts break or the gummint funding shuts down?
I know that advanced planetary species have a permanent presence elsewhere, but those are imaginary species.
The point of science fiction is to understand humanity, not to have the speedy shiny things.

We went from walled gardens like AOL CompuServe, the WELL, Delphi, etc., to open authorship of websites, and now we are back to a lot of walled gardens, we just call them social media - Twitter, Facebook, Instagram, TikTok, all with their own revenue generating enclosures.

I was teaching undergrad and graduate level teachers in 1998 through 2000, and they would almost universally come in demanding that they know how to make a webpage and write HTML. I also had to make sure that they knew what a student experience was like, so we were, at that time, still pretty big on LOGO. They were convinced that LOGO was utter nonsense and a useless toy, and that they had to learn HTML or they would be left as the jetsam of the Internet. A week into HTML, where are syntax errors beget digital avalanches, they were ready to tear their hair out. A week into LOGO and they were just as inspired and happy as the kids they would eventually teach it to. You didnâ(TM)t get a syntax error in LOGO, the console simply asks you to teach it how to do the thing you typed that wasnâ(TM)t in its vocabulary.

Even after we had some of the early foolproof web authoring tools, people realized that the hard part was not necessarily coding, it was making sure you knew what you were going to talk about, how to say it, how to present it, how to have it make sense and how to use the hyperlinking that the web was built for.

Of course, revenue has a lot to do with the overall frustrating Web experience today, to read the first story on my local newspaper site. I have to dismiss no less than five ads and pop-up offers. Iâ(TM)ve never been to the Vegas strip, but I imagine the visual assault of the current web means I really donâ(TM)t need to experience it in person in the physical world. And of course, like operating systems, every major provider wants to make sure you stay in theirs. Itâ(TM)s kind of like how CVS is no longer a pharmacy, they build a separate building that has enough stuff so that you donâ(TM)t even try to shop elsewhere when you go in to get your RX. You grab all the other things you need there so that you wonâ(TM)t go elsewhere. META has adopted this model, they want to make sure that everything you need to get through your day is available in their brand. Google as well. Google is an advertising company that happens to be willing to supply you with some serviceable tools to do other things. Kind of like the car Homer Simpson designs. And Iâ(TM)ll stop now because Iâ(TM)m starting to sound like grandpa Simpson with the onions.

This assumes you want a lunar habitat. The original flights to the moon were in an era of exploration, they actually did provide some valid scientific results, and we beat the Russians. Growing up in that era, I cheered space flight like no one else. What was accomplished was nothing short of amazing. We no longer need to beat the Russians, so why? The real value of LEO is earth resource monitoring, possibly some manufacturing. Unmanned space flight is far safer and more reliable than manned. The same goes for Mars. What is the return on investment? We will never colonize any other celestial body to remove any pressure on the Earth. Less than 1000 people have ever flown to space in 60+ years of flights. A quarter of a million people have died in a single day in a disaster, and it never put a dent in the population of the Earth. Both efforts no longer look like breakthroughs, but rather more like flagpole sitting or ego projects. Iâ(TM)m willing to be proven wrong.

Three years of launches, and they have yet to complete an orbit.
Somehow all in the next calendar year, they expect to regularly orbit, AND orbit a propellant target AND complete propellant transfer AND orbit a stable propellant depot AND perform a dozen or more propellant transfers AND land an unmanned Starship HLS on the moon AND launch 5 Starships to the Mars surface AND land a Starship with a working rover on the moon surface.
His delivery of car functions and price targets have slipped by years.
Is there some reasonableness of the space flight schedule that is inherently more reliable?
I get it, yeah, it is rocket science, but it seems like wishful thinking at best.

Arrhenius, 1889. Also re-discovered by anyone trying to put sugar in iced tea.

Cannot happen soon enough. I recently dealt with insurance issues that had the paperwork in the US and the bad scans thereof in the Phillipines. The two locations claimed they could not contact each other. That took a month to resolve.

Runners who strap their fitbit to the dogâ(TM)s tail for an hour each day have less aerobic fitness.

first is high school grades, but it is nearly impossible to equate or handicap different high schools.

If this craft has completed a full orbit. They refer to reaching orbital velocity or altitude, but I cannot find any reference to completing a full orbit of the earth. Ten launches without completing an orbit seems like a lot for something that is supposed to use 3 or 4 of these things rendezvousing in orbit to get to the moon and back in 2027.

Ground truthing (touchy term depending on if you are the ground based or spaced based nerd) is essential in getting a verification on the ground of what the bird sees. Once you have that calibration, the sat data is very reliable. And you cannot be on the ground everywhere, so the sat has greater range. This is an evolution of what the LANDSAT birds have been doing for decades. Source: have been working on earth resource monitoring education / citizen science for 30 years.