There are multiple reasons, but I think the biggest is that a different interactive screen ate TV's lunch.

The phone is superior in most ways, from the perspective of the pushers - usually maps to a single person, always with them, location trackable, etc. About the only advantage of the TV is being a big screen, but that doesn't seem to matter for much.

Another big one is there's no central player to lay the rails and the big players have competing interests. But I really think the deciding factor is just that the money folks don't see a need for a QVC "buy now" button.

People don't like having cameras streaming from their bedrooms and livingrooms. I'm shocked.

That's insane! Sign me up and ship me out.

It is always DNS.

Google, Microsoft, Apple, Facebook, Amazon, or another one of the big software development companies could easily fork ffmpeg itself, fix the open CVEs, provide their own (likely incompatible) features, and become the new standard - leaving the original developers out in the cold. Google did this with Blink (forked from WebKit, which itself was forked from KHTML). They took a fork of a KDE backed project, put it into what is now the #1 browser in the world, allowed Microsoft, Opera, and others to then use it in their own browsers — and now Google owns the entire narrative and development direction for the engine (in parallel to, and controlled to a lesser extent by Apple which maintains WebKit). The original KHTML developers really couldn’t keep up, and stopped maintaining KHTML back in 2016 (with full deprecation in 2023).

That is the risk for the original developers here. You’re right in that there isn’t really anything out there that can do what ffmpeg does — but if the developers don’t keep up on CVEs then organizations are going to look for new maintainers — and a year or two from now everyone will be using the Google/Microsoft/Apple/Facebook renamed version of ffmpeg instead.

That’s the shitty truth of how these things work. We’ve seen these same actors do it before.

Yaz

Look — I’m a developer. I get it. I’m personally all for having organizations do more to support the OSS they rely on. But the people in the C-suite are more worried about organizational reputation and losing money to lawsuits. If a piece of software they rely on has a known critical CVE that allows for remote code execution and someone breaks in and steals customer data — that software either needs to be fixed, or it needs to be scrapped. Those are the choices. Our customers in the EU are allowed to request SBOMs of everything we use and pass it through their own security validation software — and if they find sev critical CVEs in software we’re using there is going to be hell to pay. And the people in the C-suite can’t abide that level of risk.

Most software development companies (outside some of the biggest ones) don’t really have the kind of expertise in house to supply patches to something as complex as ffmpeg. But a company like Google has the staff with sufficient experience in this area that they could fork the project, fix the issues, and redistribute it as their own solution to the problem — and now Google is driving ffmpeg development. Organizations that need a security-guaranteed version will simply switch to Google’s version, which will likely slowly become incompatible with the original. They’ve done it before — Chrome was Google’s fork of WebKit, huge swaths of users flocked to Chrome, and now Google has over the years made enough changes that their patches often aren’t compatible with WebKit (and, of course, WebKit itself did similar when they forked KHTML).

Now forking like this is great for the community, but it can be tough on individual developers who see their work co-opted and then sidelined by massive corporations. And that’s really why the ffmpeg developers need to be very careful about ignoring CVEs like this. They do so at their own peril, as anyone can fork their code, fix the issues, and slowly make it incompatible with the original. And a big enough organization can ensure they’re fork becomes the new standard, leaving the original developers out in the cold.

Yaz

Really? You think at this point SpaceX is just going to throw up its hands and say "never mind" on Starship? I'm trying to imagine why they would do that.

I think you're right. If he thought he knew anything - in either direction - he'd be all in. Instead he's just throwing his hands up.

Politics is more important than code quality, and while it's a non-profit that doesn't make it unprofitable to senior leadership.

There is no incentive to improve Mozilla whose revenue is not tied to performance.

The good news is that nine-in young people

What is "nine-in".....? New term to me....

The rush is that burning it is buggering up the planet. If the US refuses, it becomes a security issue and we be dealt with appropriately.

Chicken little has been shouting this for waaaay too long....driving our ICE vehicles will not cause the planet wide DOOM scenario....certainly not in any lifetime soon.

We have plenty of time to come up with new and better vehicle power schemes.....

Mainly because I started doing this in 1997 and managing /etc/aliases myself works just fine.

Because what use do you have for cash at home?

Drug delivery is the most obvious. I remember a couple of times I was preparing to head to the airport, needed cash, and might well have used something like this.

And even if you are going out, how often do you actually need cash?

I regularly use cash. "Need" doesn't have anything to do with it, I just prefer the simplicity.

My only guess is drugs.

I self-host email, and after spending weeks dealing with a very persistent asshole trying to break in to my systems, was looking at options a while back. (I still self host email.)

Proton was the first one I looked at, but they charge per-email address, including aliases, which is a blocker for me. (I use unique email addresses for each service I use, and more for other things.)

But this is even worse. I would never use a service that would start sending my email to someone else if I stop paying, that's insane.

There is no way Proton is anywhere close to namespace saturation. The big mail hosters have orders of magnitude more addresses behind single domains.