Mastodawn

@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.

Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos that use ffmpeg in their products, right?

@wolf480pl @sjvn I'd guess there's a lot of CVE-obsessed corpos, so it amplifies the spam about useless CVEs.
After all there's often the box ticking thing of "Zero known CVEs with this version number", which is bullshit but that's corporate for you.

@lanodan @sjvn
Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....

Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.

Then send all the angry corpos a link to that issue, and disable notifications.

@lanodan @sjvn
I see three possible outcomes:
- the corpos eventually make a patch
- the corpos fork ffmpeg
- the corpos remove ffmpeg from all of their products

I don't think any of those would be tragic, though getting there might be painful :/

@lanodan @sjvn
Oh, also I don't blame corpos for having a "zero unfixed CVEs" policy for the simple reason that CVE metadata is not sufficient to effectively filter out things that don't affect you.

@wolf480pl @sjvn Well, it means they have to read and understand what's in the CVE, which can sometimes be hard but that's also why support companies (RedHat, Freexian, …) exists.

@lanodan @sjvn
is there one for pypi?

@wolf480pl @sjvn Pypi specifically is kind of weird (you'd want to cover the whole stack) but there probably is, I barely do Python.

@lanodan @sjvn
ok but like

Assume I have an OS that has unattended security updates.

And I run a web backend written in python on that host.

And it has requirements.txt

And I create a virtualenv and venv/bin/pip install -r requirements.txt before running my backend.

And I want someone to go through requirements.txt, and find all libs that have vulns, and go through my code, see how I use those libs, and tell me which I need to update.

@lanodan (and also you can assume the database is managed by someone else (AWS) and the web frontend is untrusted anyway, or maybe even has no javascript)

@wolf480pl @sjvn Except quite a lot of python projects (even more common since Rust rewrite craze) have code and dependencies which aren't just purely Python.

Python isn't an OS, it's just one language in a big stack.

@lanodan @sjvn
right, but those are usually compiled by pip still?

Like you install build-essentials on the host OS, and then pip will take care of compiling all the rust code?

@wolf480pl @sjvn build-essentials is for C code, while Rust is pretty much exclusively through cargo and not part of the distro libraries.

@lanodan
do I have to install it manually, or does pip call cargo under the hood?

jan Ki | 奇

Nov 12

@wolf480pl @lanodan @sjvn
the fourth possible outcome:
- the corpos "recreate" ffmpeg as a closed source alternative using LLMs

Wolf480pl Nov 12

@ki
ffmpeg is not AGPL, they can always make a private fork and not tell anyone, no need to wash i through LLMs
@lanodan @sjvn

jan Ki | 奇

Nov 12

@wolf480pl
there's never a need for LLMs, but corpos love them

sjvn Nov 12

@wolf480pl @ki @lanodan FFmpeg would be very hard to fork for one simple reason: It's largely written in assembly language.

pixx Nov 11

@wolf480pl
Or don't even link them.

If they want info they can pay for that too. There's no reason to act with good faith towards someone who's taking advantage of you

@lanodan @sjvn

@pixx
It's not about good faith, it's about redirecting them to a place where you can't hear them, so that you don't get overwhelmed with emails.
@lanodan @sjvn

@wolf480pl @lanodan @sjvn

pixx Nov 11

Just don't read them /shrug

@pixx @wolf480pl @sjvn Heh, reminds me of why I avoid forges, very easy to just press one key in a mail client to send it into the spam folder :D