Mastodawn

@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.

Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos that use ffmpeg in their products, right?

@wolf480pl @sjvn I'd guess there's a lot of CVE-obsessed corpos, so it amplifies the spam about useless CVEs.
After all there's often the box ticking thing of "Zero known CVEs with this version number", which is bullshit but that's corporate for you.

@lanodan @sjvn
Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....

Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.

Then send all the angry corpos a link to that issue, and disable notifications.

@lanodan @sjvn
I see three possible outcomes:
- the corpos eventually make a patch
- the corpos fork ffmpeg
- the corpos remove ffmpeg from all of their products

I don't think any of those would be tragic, though getting there might be painful :/

@lanodan @sjvn
Oh, also I don't blame corpos for having a "zero unfixed CVEs" policy for the simple reason that CVE metadata is not sufficient to effectively filter out things that don't affect you.

@wolf480pl @sjvn Well, it means they have to read and understand what's in the CVE, which can sometimes be hard but that's also why support companies (RedHat, Freexian, …) exists.

@lanodan @sjvn
is there one for pypi?

@wolf480pl @sjvn Pypi specifically is kind of weird (you'd want to cover the whole stack) but there probably is, I barely do Python.

@lanodan @sjvn
ok but like

Assume I have an OS that has unattended security updates.

And I run a web backend written in python on that host.

And it has requirements.txt

And I create a virtualenv and venv/bin/pip install -r requirements.txt before running my backend.

And I want someone to go through requirements.txt, and find all libs that have vulns, and go through my code, see how I use those libs, and tell me which I need to update.

@lanodan (and also you can assume the database is managed by someone else (AWS) and the web frontend is untrusted anyway, or maybe even has no javascript)

@wolf480pl @sjvn Except quite a lot of python projects (even more common since Rust rewrite craze) have code and dependencies which aren't just purely Python.

Python isn't an OS, it's just one language in a big stack.

@lanodan @sjvn
right, but those are usually compiled by pip still?

Like you install build-essentials on the host OS, and then pip will take care of compiling all the rust code?

@wolf480pl @sjvn build-essentials is for C code, while Rust is pretty much exclusively through cargo and not part of the distro libraries.