Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
renewiltord a day ago

Oh this stuff is what’s prompting the ffmpeg Twitter account to make a stand against Rust https://x.com/ffmpeg/status/1924137645988356437?s=46

ZeroGravitas 12 hours ago | parent | next [-]

I generally trust rbultje to benchmark correctly but the ravid tracking ticket has multithread numbers across multiple platforms that don't show that big a difference.

https://github.com/memorysafety/rav1d/issues/1294

Is that explained in replies? I only see the original tweet as I'm not logged in.

viraptor 25 minutes ago | parent | next [-]

Change it to xcancel for access. https://xcancel.com/ffmpeg/status/1924137645988356437?s=46

renewiltord 7 hours ago | parent | prev [-]

No. The replies are just language war stuff.

mmastrac a day ago | parent | prev | next [-]

Reading the ffmpeg twitter account is enough to turn me off using ffmpeg. It's a shame there's no real alternative -- the devs seem very toxic.

I mean sure, max performance is great if you control every part of your pipeline, but if you're accepting untrusted data from users-at-large ffmpeg has at least a half-dozen remotely exploitable CVEs a year. Better make sure your sandbox is tight.

https://ffmpeg.org/security.html

I feel like there's a middle ground where everyone works towards a secure and fast solution, rather than whatever position they've staked out here.

saagarjha 13 hours ago | parent | next [-]

Yeah, it used to be funny the first few times, then they fell into the trap of having a Twitter "personality" and now it's just annoying

renewiltord 2 hours ago | parent [-]

This is so true. They got a following and like many who suddenly get some sort of niche fame, they reoriented to serve the audience and it hasn't improved anything. The greatest damage that popularity does to many is that they lose themselves in the desire to hold on to it.

izacus a day ago | parent | prev | next [-]

I've worked with ffmpeg for literally a decade and I've never found them particularly toxic.

What I have found that they (as many others who do great work) have very little tolerance of random junior language fanboys criticizing their decades of work without even understanding what they're talking about and constantly throwing out silly rewrite ideas.

hitekker 12 hours ago | parent | next [-]

You’re right; this happens a lot.

The SQlite folks, half of Linux, and other maintainers have encountered the same kind of zealotry. Dealing with language supremacism is annoying and I don’t blame ffmpeg for venting.

In fact, I’d even say that twitter thread is informative, because it demonstrates out how big tech fund their own pet projects over the actual maintainers.

mmastrac a day ago | parent | prev [-]

I'm not saying that they don't do great work, but that twitter thread (https://x.com/ffmpeg/status/1924137645988356437) is pretty obnoxious and reads like they are upset they didn't get funding. It's entirely possible that they are just difficult to work with and funders _don't_ want to fund them.

"Because substantial amounts of human and financial resources go into these rust ports that are inferior to the originals. Orders of magnitude more resources than the originals which remain extremely understaffed/underfunded." -- https://x.com/FFmpeg/status/1924149949949775980

"... And we get this instead: <xz backdoor subtweet>" -- https://x.com/FFmpeg/status/1924153020352225790

"They [rust ports] are superior in the same way Esperanto is also superior to English." -- https://x.com/FFmpeg/status/1924154854051557494

It's kind of sad to see that snarky attitude. Clearly the corporate sponsors _want_ a more secure decoder. Maybe they should try and work _with_ the system instead of wasting energy on sarcasm on Twitter?

oguz-ismail 18 hours ago | parent | prev | next [-]

>Reading the ffmpeg twitter account is enough to turn me off using ffmpeg.

What's the alternative?

mmastrac 7 hours ago | parent [-]

There is not much, unless you're working with AV1. rav1d is the alternative there but you've got to trade off some performance for security gains.

ffmpeg is a monopoly in the space which means that you either take the exact set of tradeoffs they offer, or... well, you have no alternatives, so take it.

Of course the alternatives are never going to be as good as the originals until they've had more effort put into them. It took _years_ until the Rust gzip/zip libraries surpassed the C ones while being more secure overall.

throwaway94487 a day ago | parent | prev [-]

How many of those "remotely exploitable CVEs" have actually been exploited in the wild? Quite a few are denial-of-service and memory leak CVEs too, which Rust doesn't consider to be unsafe.

saagarjha 13 hours ago | parent [-]

More than enough are exploitable for this to be a problem.

tialaramex a day ago | parent | prev [-]

The healthier response might have been work to speed-up dav1d. If you refine the Olympic Record metrics and force them to retrospectively update previous records so that Bolt's 100m sprint record is revised to 9.64s rather than 9.63s nobody cares man, get a life, but if you can run an actual nine second 100 metre sprint that people care about†

† If you're a human. If you're an ostrich this is not impressive, but on the whole ostrichs aren't competing in the Olympic 100 metre sprint.