Google, Microsoft, Apple, Facebook, Amazon, or another one of the big software development companies could easily fork ffmpeg itself, fix the open CVEs, provide their own (likely incompatible) features, and become the new standard - leaving the original developers out in the cold. Google did this with Blink (forked from WebKit, which itself was forked from KHTML). They took a fork of a KDE backed project, put it into what is now the #1 browser in the world, allowed Microsoft, Opera, and others to then use it in their own browsers — and now Google owns the entire narrative and development direction for the engine (in parallel to, and controlled to a lesser extent by Apple which maintains WebKit). The original KHTML developers really couldn’t keep up, and stopped maintaining KHTML back in 2016 (with full deprecation in 2023).

That is the risk for the original developers here. You’re right in that there isn’t really anything out there that can do what ffmpeg does — but if the developers don’t keep up on CVEs then organizations are going to look for new maintainers — and a year or two from now everyone will be using the Google/Microsoft/Apple/Facebook renamed version of ffmpeg instead.

That’s the shitty truth of how these things work. We’ve seen these same actors do it before.

Yaz

Look — I’m a developer. I get it. I’m personally all for having organizations do more to support the OSS they rely on. But the people in the C-suite are more worried about organizational reputation and losing money to lawsuits. If a piece of software they rely on has a known critical CVE that allows for remote code execution and someone breaks in and steals customer data — that software either needs to be fixed, or it needs to be scrapped. Those are the choices. Our customers in the EU are allowed to request SBOMs of everything we use and pass it through their own security validation software — and if they find sev critical CVEs in software we’re using there is going to be hell to pay. And the people in the C-suite can’t abide that level of risk.

Most software development companies (outside some of the biggest ones) don’t really have the kind of expertise in house to supply patches to something as complex as ffmpeg. But a company like Google has the staff with sufficient experience in this area that they could fork the project, fix the issues, and redistribute it as their own solution to the problem — and now Google is driving ffmpeg development. Organizations that need a security-guaranteed version will simply switch to Google’s version, which will likely slowly become incompatible with the original. They’ve done it before — Chrome was Google’s fork of WebKit, huge swaths of users flocked to Chrome, and now Google has over the years made enough changes that their patches often aren’t compatible with WebKit (and, of course, WebKit itself did similar when they forked KHTML).

Now forking like this is great for the community, but it can be tough on individual developers who see their work co-opted and then sidelined by massive corporations. And that’s really why the ffmpeg developers need to be very careful about ignoring CVEs like this. They do so at their own peril, as anyone can fork their code, fix the issues, and slowly make it incompatible with the original. And a big enough organization can ensure they’re fork becomes the new standard, leaving the original developers out in the cold.

Yaz

That, or your project gets sidelined. Which is where the danger lies.

I work for a big multinational software company that uses a lot of Open Source Software. We have a security office that audits all of our products several times a year. If any piece of our stack shows any open CVEs we have a fixed amount of time to fix the issue, with the amount of time varying from a few days (for CRITICAL severity issues) to roughly half a year for the lowest severity issues. A lack of a fix for a published CVE isn’t an excuse for not fixing the issue on our end — the software still has a security flaw in it, and the organization is so incredible security averse (thanks in part to having contacts in the defence industry) that they don’t want to risk expensive lawsuits and the loss of reputation if a vulnerability is exploited.

A lot of bigger organizations now work this way. We’ve all seen what has happened to organizations that have had significantly security breaches, and it’s not pretty. Our customers are big corporations and government entities — and if they even sniff a risk there are going to be problems. So if there is an unpatched exploit, we’re expected to either switch to something comparable, or DIY a solution (either replacing the library in question, or potentially patching it ourselves).

If ffmpeg allows known and published vulnerabilities to languish, the risk here is that organizations that use their code will simply stop using it and will look for other solutions. That’s a tough pill for an Open Source Software developer to swallow, especially when they make it as big and important as ffmpeg. You might wind up in a situation where an entity like Google forks your code and takes ownership, and eventually gets everyone to migrate to using their version instead (like what they did with WebKit to Chrome), leaving you sidelines. Or maybe someone else jumps in with a compatible solution that works well enough for enough users that they switch to that instead.

Now in an ideal world, the Google’s of this world would not only submit a CVE but would also submit a patch. Having been an OSS developer myself I’ve always encouraged my staff if they find a bug in a piece of software we use to file a bug report and ideally a patch if they know how to patch the issue correctly — but I know that is hardly universal within our organization, and probably even less so elsewhere.

TL;DR: a lot of OSS success relies on having lots of users, or at least some big and important users. But you risk losing those if you leave CVE’s open for too long, as company policies may require scrapping software with unfixed CVEs. That loss of users and reputation is dangerous for an OSS project — it’s how projects get supplanted, either by a fork or by a new (and similar) project.

Yaz

Imagine, a small hits a satellite and the satellite sends out a shitload of shards moving at extremely high speed. And then some of those hit a sky data centre and cause a cascading (Kessler) effect. Of it the meteor hits the much larger data centre directly. We already know we are walking a fine line of losing a significant proportion of satellites if there are collisions.

Or worse, what if some bad player shoots a missile into one of those centres? This would cause orders of magnitude worse results than a simple collision. If a cloud of debris started orbiting, it could knock out a large portion of the world's computing power (assuming most adopted this silly idea). If most of the data centres were put in space and that worst case scenario happened, the whole world would shut down. And if you moved the centres far enough apart in space, they would be so high up the communications lag would have just as bad a consequence.

For shit like this, you have to plan for worst case. It's why they put berms around terrestrial data centres and have enough security to protect a gold repository, just about. Right now, there is no way to protect against a Kessler Syndrome/Effect/Event if it happens.

"You don't need to know how to learn; In fact don't need to know anything. Just ask 'Brother AI', he will tell you everything." [In a soothing big brother voice.]
Keep the masses ignorant and only tell them stuff you want them to hear. It's the next step in making the rich richer, and the poor poorer.
.

Way to look like a full on completely ignorant asshole. I bet you think you sounded smart there. Here is an article that gives people some useful information on an important topic, that was not known before. There's nothing stopping you (or anyone else) from taking this thing, which you had no clue about before so couldn't, and digging deeper. In essence fuck off you useless troll. Cancer sucks. Information on fighting it is always welcome.

that would 100% be a firing offence.

Honestly, setting an AI you don’t control lose on your production database? Really? That’s just gross incompetence. This is code that a) wasn’t written or reviewed by a human, and b) code that wasn’t even tested on a development copy of the database.

Developers that do things like that are a liability. Unfortunately as “founder” he’ll likely just post something on LinkedIn about learning from his mistakes and “personal growth”, and that will be the end of it. Anyone else would have been shown the door to accelerate their “personal growth”.

Yaz

I have one chefs knife that is sharp like a razor. I have a stainless steel bowl I make a sanitation solution in (one or two cap fulls of bleach) and throw in a clean small towel or two. The super sharp knife makes sure onions and the like don't squirt unneeded juice, and I can wipe off the blade between food types.

Kosher was created because people didn't know what germs are, and just knew that if you ate certain foods you were more likely to get sick, but didn't know why. And they didn't know that the problem with wood handles on knives was that bits of stuff could get stuck between the steel and wood allowing contamination. So the rabbis just made up a rule and put it in the book that said, unless it is blessed by a rabbi, you can't eat that food or use that type of cooking tool. And then the rabbis would only bless food that was less likely to make you sick. Now we know about germs and raise animals in ways they won't be contaminated (e.g. trichinosis in pigs is almost unheard of now, and we know about things like 'red tide' and other stuff that contaminate shellfish and crustaceans). So Kosher doesn't mean shit anymore. Only people who think there is a god that watches what you eat believes that nonsense now.

Because of the difference in the fault types, the biggest earthquake California can have, is the lowest range when the Washington/Oregon/British Columbia earthquake happens.

This

Fuck off retard.

So the USA puts by tomorrow, 100% tariffs on Chinese goods. That means Americans' buying power with respect to what they can purchase from China, is halved. For all other countries at 50% it is one third. America can't buy as much. Just like the buying power of third world countries. Anyway, China won't care, there are over six billion people in all the other countries outside of China and the USA. And eventually when the American dollar goes low enough, all those countries will switch to using the Euro as the standard. Then the USA will be the banana republic you MAGA types have always wanted. You're number 85.

Enough said.

And then they went out of business after getting a few million. Seems legit.

And then we can have a different language every 100kms, or accents that are so different we might not understand them. So cool to fragment the world again on the pillar of killing cars. Now we have ICE cars. What will the idiots excuse be for when there are all EVs or H2 cars (shut up EV fucktards, they won't work in the third world there isn't enough electric infrastructure, try actually following what's going on and see the hundreds of billions ongoing into H2 in the third world). I'll guarantee these numbskulls will make up some other stupid reason to fragment society. Modern transportation made the world smaller, and helped educate people by way of learning about people elsewhere whenever they feel like driving. It's almost like the sheep are being led to the slaughter by creating a world where the disconnected people are easier to control.