Google, Microsoft, Apple, Facebook, Amazon, or another one of the big software development companies could easily fork ffmpeg itself, fix the open CVEs, provide their own (likely incompatible) features, and become the new standard - leaving the original developers out in the cold. Google did this with Blink (forked from WebKit, which itself was forked from KHTML). They took a fork of a KDE backed project, put it into what is now the #1 browser in the world, allowed Microsoft, Opera, and others to then use it in their own browsers — and now Google owns the entire narrative and development direction for the engine (in parallel to, and controlled to a lesser extent by Apple which maintains WebKit). The original KHTML developers really couldn’t keep up, and stopped maintaining KHTML back in 2016 (with full deprecation in 2023).

That is the risk for the original developers here. You’re right in that there isn’t really anything out there that can do what ffmpeg does — but if the developers don’t keep up on CVEs then organizations are going to look for new maintainers — and a year or two from now everyone will be using the Google/Microsoft/Apple/Facebook renamed version of ffmpeg instead.

That’s the shitty truth of how these things work. We’ve seen these same actors do it before.

Yaz

Look — I’m a developer. I get it. I’m personally all for having organizations do more to support the OSS they rely on. But the people in the C-suite are more worried about organizational reputation and losing money to lawsuits. If a piece of software they rely on has a known critical CVE that allows for remote code execution and someone breaks in and steals customer data — that software either needs to be fixed, or it needs to be scrapped. Those are the choices. Our customers in the EU are allowed to request SBOMs of everything we use and pass it through their own security validation software — and if they find sev critical CVEs in software we’re using there is going to be hell to pay. And the people in the C-suite can’t abide that level of risk.

Most software development companies (outside some of the biggest ones) don’t really have the kind of expertise in house to supply patches to something as complex as ffmpeg. But a company like Google has the staff with sufficient experience in this area that they could fork the project, fix the issues, and redistribute it as their own solution to the problem — and now Google is driving ffmpeg development. Organizations that need a security-guaranteed version will simply switch to Google’s version, which will likely slowly become incompatible with the original. They’ve done it before — Chrome was Google’s fork of WebKit, huge swaths of users flocked to Chrome, and now Google has over the years made enough changes that their patches often aren’t compatible with WebKit (and, of course, WebKit itself did similar when they forked KHTML).

Now forking like this is great for the community, but it can be tough on individual developers who see their work co-opted and then sidelined by massive corporations. And that’s really why the ffmpeg developers need to be very careful about ignoring CVEs like this. They do so at their own peril, as anyone can fork their code, fix the issues, and slowly make it incompatible with the original. And a big enough organization can ensure they’re fork becomes the new standard, leaving the original developers out in the cold.

Yaz

Anybody else ever play You Don't Know Jack with three other people? I think that was the first really clean and comprehensible party quiz game, and a YDKJ title seems like it would be a good fit here.

Pretty much any cellphone can now do a decent imitation of a Wiimote (besides the sensors, you could also use camera data) and it would also be hilarious to see people accidentally chuck their phones across the room while bowling.

Mozilla keeps thinking that they can make Firefox popular without the nerds somehow. But all the shit that makes it better than other browsers is nerd shit, so they need nerds to advocate for it, teach other users how to use those features, etc. Meanwhile they seem to actually be trying to alienate us. Just like in the movie, here it the pulse, and here is their finger, far from the pulse, jammed up their ass. Pretzel?

You are correct, they absolutely, positively do not have a flying car. They have a drone that comes out of a cybervan. And it's six-wheeled to boot, which would be cool in an off road vehicle but absolutely sucks on pavement. I did not bother to look up whether it has rear steering because IDGAF about it even if it does, even though that would be kind of neat. The rest of it is dumb.

I think BeauHD is a dipshit for posting this dupe

False, I just did this and it did nothing.

I see you didn't read the Toyota unintended acceleration report by the Barr Group, and have nothing of value to add to this conversation.

What about top speed limiting?

And speaking of which, what about an emergency stop button? They've had a number of self-driving vehicle runaways which could have been stopped with such a thing.

Yes, overproduction is necessary. But it's also waste. And if you get too much of it, then it's unsustainable.

Fine words from a coward.

I don't want anything in the browser that I have to worry about whether it's turned on and spying on me or not.

Anything like that should be an add-on so it can be not just disabled but removed (assuming it's shipped with the browser.)

My pet Firefox peeve is with mobile. It's shitty and getting shittier. Not only does it have a javascript-related memory leak they haven't bothered to fix for many years, but now it's hanging when trying to upload images. It works once or twice and then on the third try the browser hangs. It takes a long time to get through to kill it too so it looks frankly like yet another memory leak.

Same for scrollbar width. Can't even fix that with a setting reliably, have to edit a file.

Itâ(TM)s definitely about the law requiring pricing to show the final price. I get it that tax rates are variable based on locality in the US, even within a state or a city. Thereâ(TM)s much less variability here in the UK (VAT is the same rate everywhere and only varies if certain goods are deemed worthy of a discount). No reason why taxed and tax free prices canâ(TM)t both be shown in the US. This is also common in some places here, especially where businesses will be buying items with a VAT exemption.

So you took a break out from complaining about the allegedly unfair treatment of China to complain about the allegedly unfair treatment of Russia? It seems like you only respect fascism.

I had over 230k on my 1989 240SX when I sold it. It had all expected compression and ran perfectly. Got to love timing chains, it had never had any engine work done. 200k isn't impressive from any Japanese car since about 1980.