Google, Microsoft, Apple, Facebook, Amazon, or another one of the big software development companies could easily fork ffmpeg itself, fix the open CVEs, provide their own (likely incompatible) features, and become the new standard - leaving the original developers out in the cold. Google did this with Blink (forked from WebKit, which itself was forked from KHTML). They took a fork of a KDE backed project, put it into what is now the #1 browser in the world, allowed Microsoft, Opera, and others to then use it in their own browsers — and now Google owns the entire narrative and development direction for the engine (in parallel to, and controlled to a lesser extent by Apple which maintains WebKit). The original KHTML developers really couldn’t keep up, and stopped maintaining KHTML back in 2016 (with full deprecation in 2023).

That is the risk for the original developers here. You’re right in that there isn’t really anything out there that can do what ffmpeg does — but if the developers don’t keep up on CVEs then organizations are going to look for new maintainers — and a year or two from now everyone will be using the Google/Microsoft/Apple/Facebook renamed version of ffmpeg instead.

That’s the shitty truth of how these things work. We’ve seen these same actors do it before.

Yaz

Look — I’m a developer. I get it. I’m personally all for having organizations do more to support the OSS they rely on. But the people in the C-suite are more worried about organizational reputation and losing money to lawsuits. If a piece of software they rely on has a known critical CVE that allows for remote code execution and someone breaks in and steals customer data — that software either needs to be fixed, or it needs to be scrapped. Those are the choices. Our customers in the EU are allowed to request SBOMs of everything we use and pass it through their own security validation software — and if they find sev critical CVEs in software we’re using there is going to be hell to pay. And the people in the C-suite can’t abide that level of risk.

Most software development companies (outside some of the biggest ones) don’t really have the kind of expertise in house to supply patches to something as complex as ffmpeg. But a company like Google has the staff with sufficient experience in this area that they could fork the project, fix the issues, and redistribute it as their own solution to the problem — and now Google is driving ffmpeg development. Organizations that need a security-guaranteed version will simply switch to Google’s version, which will likely slowly become incompatible with the original. They’ve done it before — Chrome was Google’s fork of WebKit, huge swaths of users flocked to Chrome, and now Google has over the years made enough changes that their patches often aren’t compatible with WebKit (and, of course, WebKit itself did similar when they forked KHTML).

Now forking like this is great for the community, but it can be tough on individual developers who see their work co-opted and then sidelined by massive corporations. And that’s really why the ffmpeg developers need to be very careful about ignoring CVEs like this. They do so at their own peril, as anyone can fork their code, fix the issues, and slowly make it incompatible with the original. And a big enough organization can ensure they’re fork becomes the new standard, leaving the original developers out in the cold.

Yaz

Itâ(TM)s definitely about the law requiring pricing to show the final price. I get it that tax rates are variable based on locality in the US, even within a state or a city. Thereâ(TM)s much less variability here in the UK (VAT is the same rate everywhere and only varies if certain goods are deemed worthy of a discount). No reason why taxed and tax free prices canâ(TM)t both be shown in the US. This is also common in some places here, especially where businesses will be buying items with a VAT exemption.

The only time I come in contact with Edge is in my Windows VMs or remote servers and I want to download something directly in to the VM on to the server, or I accidentally click on some Microsoft crap that opens the default browser. My annoyances:

• * It eventually forgets what my open tabs were from the last session. It does this frequently. I have tabs in Safari I've had open for for years, and that's the way I like. You fail Microsoft.
• * Configuring Edge is a headache. Default choices are shit and changing that involves going through too many steps.
• * Whatever the browser core, for decades now, Microsoft defaults to a busy noisy page. Their product manager must have been introduced to browsers in the late '90s when everybody had to have a portal. Most of my Windows access is to remote servers, so the last thing I want is it opening an animated page that kills the performance of the remote connection. Sure, it's not as bad as it was 20 years ago when latency was higher and bandwidth was lower, but still annoys the shit of me. Just give me a minimal page by default.
• * It's not even an independent product anymore. Using it means supporting Google. No thanks.

They couldn't make their browser successful when they developed it in-house. They had to make and cuts opted to wrap somebody else's browser, and even now, that can't make that successful.

I think they're trying to say that the GPUs will depreciate more quickly than expected and thus the expectations of their return on investment (on which the loans financing the GPU purchases) depend on will leave all of these major companies heavily in debt without revenue generation on the assets to justify their purchase in later years.

Conceivably, this could lead to bankruptcies and a chain of failures from companies like google and amazon, with a massive drop in stock value and a "too big to fail" problem for the US government again.

(This is me trying to explain the argument, not saying I agree or disagree.)

That, or your project gets sidelined. Which is where the danger lies.

I work for a big multinational software company that uses a lot of Open Source Software. We have a security office that audits all of our products several times a year. If any piece of our stack shows any open CVEs we have a fixed amount of time to fix the issue, with the amount of time varying from a few days (for CRITICAL severity issues) to roughly half a year for the lowest severity issues. A lack of a fix for a published CVE isn’t an excuse for not fixing the issue on our end — the software still has a security flaw in it, and the organization is so incredible security averse (thanks in part to having contacts in the defence industry) that they don’t want to risk expensive lawsuits and the loss of reputation if a vulnerability is exploited.

A lot of bigger organizations now work this way. We’ve all seen what has happened to organizations that have had significantly security breaches, and it’s not pretty. Our customers are big corporations and government entities — and if they even sniff a risk there are going to be problems. So if there is an unpatched exploit, we’re expected to either switch to something comparable, or DIY a solution (either replacing the library in question, or potentially patching it ourselves).

If ffmpeg allows known and published vulnerabilities to languish, the risk here is that organizations that use their code will simply stop using it and will look for other solutions. That’s a tough pill for an Open Source Software developer to swallow, especially when they make it as big and important as ffmpeg. You might wind up in a situation where an entity like Google forks your code and takes ownership, and eventually gets everyone to migrate to using their version instead (like what they did with WebKit to Chrome), leaving you sidelines. Or maybe someone else jumps in with a compatible solution that works well enough for enough users that they switch to that instead.

Now in an ideal world, the Google’s of this world would not only submit a CVE but would also submit a patch. Having been an OSS developer myself I’ve always encouraged my staff if they find a bug in a piece of software we use to file a bug report and ideally a patch if they know how to patch the issue correctly — but I know that is hardly universal within our organization, and probably even less so elsewhere.

TL;DR: a lot of OSS success relies on having lots of users, or at least some big and important users. But you risk losing those if you leave CVE’s open for too long, as company policies may require scrapping software with unfixed CVEs. That loss of users and reputation is dangerous for an OSS project — it’s how projects get supplanted, either by a fork or by a new (and similar) project.

Yaz

Good luck getting FFmpeg running on a console from 1996!

Actually, at Demuxed 2025 recently, somebody did make a presentation detailing how they got a Sega Genesis (Megadrive) to stream and playback video. What an awesome hack!! Itâ(TM)s here: https://github.com/joeyparrish...

FFmpeg, written primarily in assembly language

Not even close. 90% C, 8% assembly, at least according to GitHub.

" Pack 9 million people into a "linear" city.."

The Chicago metropolitan area is a linear city of 9 million, more if you include the corridor up to Kenosha and Milwaukee. At its peak the city of Chicago was 3.2 million alone. However, it grew that way in the historic human pattern of part luck, part planning, part ignoring some of the planning, part haphazard human desire/greed/whim.

City regions that are created by force of one will and an ironclad design (Brasilia) seldom work - Canberra is the only one I can think of.

The Air Passenger Duty tax is significantly more expensive: https://www.gov.uk/government/...

If society doesnâ(TM)t want this, they should pay more taxes and hire more police and spend on other schemes to provide more opportunities and education, etc. Doing it through the back door and hiding the cost in the price of your groceries is piecemeal and less effective.

Getting your children to do things around the house and garden or taking them to a firing range has nothing to do with home schooling and can be done by any parent anyway. The fact that you mentioned "likeminded parents" sounds more like indoctrination.

Theyâ(TM)re not really 24, 30 or 60. Theyâ(TM)re stupid fractional rates like 30000/1001. I wish NTSC fractional frame rates would die, along with interlacing.

LOL. Thanks for the witty reply; I wish /. would let me just react like every other modern app or site.

Iâ(TM)ve never had a vacuum that lasts for such a short period of time. My current one (a Dyson) has been going 14 years and no reason to believe it will die anyone soon. I got rid of the 12 year old Hoover I had before only because I moved country and it wouldnâ(TM)t work with 220V. What is your wife doing to break so many vacuums, or are they just cheap crap that fails frequently? Youâ(TM)ve spent way more on vacuums than I have.