Forgot your password?
typodupeerror

Comment Re: Oh well (Score 4, Insightful) 245

my oldest is 26, and my next is 22. oldest was told to go into cyberseurity , get a degree in it, gets out, no one will even interview without 5 years experience. no feeder jobs or anything that would give them that experience, just magically you need experience. they've been a supervisor at a fast food place for some time now, applying to 100-150 roles all over the USA and not getting a response, let alone a rejection.

My next just graduated in May, he has a little more of a plan, wants to be a professor and teach English to autistic kids (as he is one, but graduated magna cum laude with a BA in English)

Just wanting to work for a year to save up for his master program, finally found a job for $9.50 an hour at a movie theater, no other place would call him back as he has a BA in English and 'is over qualified' or doesn't have grocery store experience.

This is what happens when you don't hire people for the long haul, everything is transactional. I don't think you should work same place until you die but now business is so unwilling to invest in someone for them to leave, they won't invest.

Comment Did y'all watch the same movie? (Score 5, Interesting) 172

I went to it last night. I have no idea what the complaints are about. 'Dark and Muddy' we were on a world destroyed by war, with people scrounging out an existnance that had bad guys stealing every female child for a breeding farm. Should it be bright and clean?

way to blow the ending spoiler. Yes, she killed a guy. how many action movies have been released where the body count is 100x higher and we're cool with it? the hero murders entire base full of people blows it up on the way out, but supergirl stabs a guy who shot her dog with a poison that tortures it to death over three days and killed a kids family, killed another family and their kid in front of her.

He died to quickly for my taste. He needed to die screaming, one appendage ripped off at a time.

it was a fun movie, I swear to god I do not understand people these days.

Comment Re:First Post! (Score 2) 79

By the time Slashdot started using id's, I thought it had already become too crowded to have a useful conversation, so I didn't bother to register. I don't even remember why I eventually broke down and registered one.

I remember my first post was to a discussion of whether it was better for Linux distros to conform to a set of committee defined standards, or simply to allow the market to define de facto standards. Of course, that was posted under my real name, as was usually the custom at the time. I remember thinking that Anonymous Coward guy sure posted a lot of comments.

These days, I don't think I'd post anything anywhere under my real name. I don't think there's even an archive of those original Slashdot articles and comments.

Comment A modest proposal (Score 1) 162

The company that wants to take advantage of my home to house their mini data center node can: 1. Pay for the cost of the house while I retain the title, 2. Pay my property taxes, 3. Pay my utility bill, 4. Pay for all house maintenance, 5. Pay for all insurance, 6. Pay me an extra $25,000 a month as a âoeconvenience fee.â Makes sense to me. And itâ(TM)s probably still cheaper for them to do this instead of building giant data centers.

Comment They won't fix it (Score 1) 89

I have been to all of the QC Snapdragon briefs, know the engineers personally, and have written about the shitshow on SemiAccurate.com extensively, basically I know what is going on. QC doesn't understand what they are doing and why, and there is ZERO internal impetus to change from the people on top. They do nearly nothing on software enablement because, "That is Microsoft's job". Drivers are intentionally locked down and encrypted to block Linux, and x86 compatibility is BETTER in hardware than the Mac Mx line (Same people who did the M1 and M2 did the X1 and X2, and they all just bailed on QC) but the software is.... oh look outside, there is a sky.

TLDR: No chance in hell there will be a fix.

                    -Charlie

Comment One thing is faster - increase of technical debt (Score 2) 139

I really do think coding using AI tools is a bit faster, at least it seems that way to me. As most of the morning but lengthy work can be done faster by AI.

But I am also pretty sure it's VERY easy to rapidly incur technical debt, especially if you are telling AI to review its own work. Yeah it will do some stuff but who is to say post review fixes it's really better?

More than ever I think the right approach to coding with AI is to build up carefully crafted frameworks that are solid (maybe use AI to help but review and tests very carefully) then allow AI to build on top of solid fundamental structures that you know are solid, and do not let the AI modify those - maybe let it ask for feature requests.

Comment Re:Isn't this the idea? (Score 1) 113

Google, Microsoft, Apple, Facebook, Amazon, or another one of the big software development companies could easily fork ffmpeg itself, fix the open CVEs, provide their own (likely incompatible) features, and become the new standard - leaving the original developers out in the cold. Google did this with Blink (forked from WebKit, which itself was forked from KHTML). They took a fork of a KDE backed project, put it into what is now the #1 browser in the world, allowed Microsoft, Opera, and others to then use it in their own browsers — and now Google owns the entire narrative and development direction for the engine (in parallel to, and controlled to a lesser extent by Apple which maintains WebKit). The original KHTML developers really couldn’t keep up, and stopped maintaining KHTML back in 2016 (with full deprecation in 2023).

That is the risk for the original developers here. You’re right in that there isn’t really anything out there that can do what ffmpeg does — but if the developers don’t keep up on CVEs then organizations are going to look for new maintainers — and a year or two from now everyone will be using the Google/Microsoft/Apple/Facebook renamed version of ffmpeg instead.

That’s the shitty truth of how these things work. We’ve seen these same actors do it before.

Yaz

Comment Re:Isn't this the idea? (Score 1) 113

Look — I’m a developer. I get it. I’m personally all for having organizations do more to support the OSS they rely on. But the people in the C-suite are more worried about organizational reputation and losing money to lawsuits. If a piece of software they rely on has a known critical CVE that allows for remote code execution and someone breaks in and steals customer data — that software either needs to be fixed, or it needs to be scrapped. Those are the choices. Our customers in the EU are allowed to request SBOMs of everything we use and pass it through their own security validation software — and if they find sev critical CVEs in software we’re using there is going to be hell to pay. And the people in the C-suite can’t abide that level of risk.

Most software development companies (outside some of the biggest ones) don’t really have the kind of expertise in house to supply patches to something as complex as ffmpeg. But a company like Google has the staff with sufficient experience in this area that they could fork the project, fix the issues, and redistribute it as their own solution to the problem — and now Google is driving ffmpeg development. Organizations that need a security-guaranteed version will simply switch to Google’s version, which will likely slowly become incompatible with the original. They’ve done it before — Chrome was Google’s fork of WebKit, huge swaths of users flocked to Chrome, and now Google has over the years made enough changes that their patches often aren’t compatible with WebKit (and, of course, WebKit itself did similar when they forked KHTML).

Now forking like this is great for the community, but it can be tough on individual developers who see their work co-opted and then sidelined by massive corporations. And that’s really why the ffmpeg developers need to be very careful about ignoring CVEs like this. They do so at their own peril, as anyone can fork their code, fix the issues, and slowly make it incompatible with the original. And a big enough organization can ensure they’re fork becomes the new standard, leaving the original developers out in the cold.

Yaz

Comment Re:Isn't this the idea? (Score 2) 113

Eventually whoever has most to lose is bound to step up and help.

That, or your project gets sidelined. Which is where the danger lies.

I work for a big multinational software company that uses a lot of Open Source Software. We have a security office that audits all of our products several times a year. If any piece of our stack shows any open CVEs we have a fixed amount of time to fix the issue, with the amount of time varying from a few days (for CRITICAL severity issues) to roughly half a year for the lowest severity issues. A lack of a fix for a published CVE isn’t an excuse for not fixing the issue on our end — the software still has a security flaw in it, and the organization is so incredible security averse (thanks in part to having contacts in the defence industry) that they don’t want to risk expensive lawsuits and the loss of reputation if a vulnerability is exploited.

A lot of bigger organizations now work this way. We’ve all seen what has happened to organizations that have had significantly security breaches, and it’s not pretty. Our customers are big corporations and government entities — and if they even sniff a risk there are going to be problems. So if there is an unpatched exploit, we’re expected to either switch to something comparable, or DIY a solution (either replacing the library in question, or potentially patching it ourselves).

If ffmpeg allows known and published vulnerabilities to languish, the risk here is that organizations that use their code will simply stop using it and will look for other solutions. That’s a tough pill for an Open Source Software developer to swallow, especially when they make it as big and important as ffmpeg. You might wind up in a situation where an entity like Google forks your code and takes ownership, and eventually gets everyone to migrate to using their version instead (like what they did with WebKit to Chrome), leaving you sidelines. Or maybe someone else jumps in with a compatible solution that works well enough for enough users that they switch to that instead.

Now in an ideal world, the Google’s of this world would not only submit a CVE but would also submit a patch. Having been an OSS developer myself I’ve always encouraged my staff if they find a bug in a piece of software we use to file a bug report and ideally a patch if they know how to patch the issue correctly — but I know that is hardly universal within our organization, and probably even less so elsewhere.

TL;DR: a lot of OSS success relies on having lots of users, or at least some big and important users. But you risk losing those if you leave CVE’s open for too long, as company policies may require scrapping software with unfixed CVEs. That loss of users and reputation is dangerous for an OSS project — it’s how projects get supplanted, either by a fork or by a new (and similar) project.

Yaz

Comment But that is everything (Score 2) 92

as long as the topic is not controversial and political.

The problem is that the Wiki mods are VERY VERY biased. Not just a little. I have run into this personally just trying to make very simple edits. They would not accept simple facts that I had backup sources for.

This was just for movie credits for an actress that at some point had turned conservative...

So for anything political, Wikipide will be factually wrong, sometimes (or often) egregiously so.

But that's ok if it's only for political content right???

But there's the trouble you see. It affects what is political TO THEM in ways you cannot comprehend, so ANY page might be touched by the corruption of the Wikipedia moderator biases. I wouldn't think a simply actress filmography would be affected yet it was. No visitor other than that page would ever know it was inaccurate or incomplete.

So you can trust absolutely nothing from Wikipedia without extensive checking of what facts they refuse to list. Which makes the entire body of work garbage - I have not used it for years now.

Slashdot Top Deals

To the systems programmer, users and applications serve only to provide a test load.

Working...