| ▲ | mmastrac a day ago |
| Reading the ffmpeg twitter account is enough to turn me off using ffmpeg. It's a shame there's no real alternative -- the devs seem very toxic. I mean sure, max performance is great if you control every part of your pipeline, but if you're accepting untrusted data from users-at-large ffmpeg has at least a half-dozen remotely exploitable CVEs a year. Better make sure your sandbox is tight. https://ffmpeg.org/security.html I feel like there's a middle ground where everyone works towards a secure and fast solution, rather than whatever position they've staked out here. |
|
| ▲ | saagarjha 14 hours ago | parent | next [-] |
| Yeah, it used to be funny the first few times, then they fell into the trap of having a Twitter "personality" and now it's just annoying |
| |
| ▲ | renewiltord 4 hours ago | parent [-] | | This is so true. They got a following and like many who suddenly get some sort of niche fame, they reoriented to serve the audience and it hasn't improved anything. The greatest damage that popularity does to many is that they lose themselves in the desire to hold on to it. |
|
|
| ▲ | izacus a day ago | parent | prev | next [-] |
| I've worked with ffmpeg for literally a decade and I've never found them particularly toxic. What I have found that they (as many others who do great work) have very little tolerance of random junior language fanboys criticizing their decades of work without even understanding what they're talking about and constantly throwing out silly rewrite ideas. |
| |
| ▲ | mmastrac a day ago | parent | next [-] | | I'm not saying that they don't do great work, but that twitter thread (https://x.com/ffmpeg/status/1924137645988356437) is pretty obnoxious and reads like they are upset they didn't get funding. It's entirely possible that they are just difficult to work with and funders _don't_ want to fund them. "Because substantial amounts of human and financial resources go into these rust ports that are inferior to the originals. Orders of magnitude more resources than the originals which remain extremely understaffed/underfunded." -- https://x.com/FFmpeg/status/1924149949949775980 "... And we get this instead: <xz backdoor subtweet>" -- https://x.com/FFmpeg/status/1924153020352225790 "They [rust ports] are superior in the same way Esperanto is also superior to English." -- https://x.com/FFmpeg/status/1924154854051557494 It's kind of sad to see that snarky attitude. Clearly the corporate sponsors _want_ a more secure decoder. Maybe they should try and work _with_ the system instead of wasting energy on sarcasm on Twitter? | |
| ▲ | hitekker 14 hours ago | parent | prev [-] | | You’re right; this happens a lot. The SQlite folks, half of Linux, and other maintainers have encountered the same kind of zealotry. Dealing with language supremacism is annoying and I don’t blame ffmpeg for venting. In fact, I’d even say that twitter thread is informative, because it demonstrates out how big tech fund their own pet projects over the actual maintainers. |
|
|
| ▲ | oguz-ismail 19 hours ago | parent | prev | next [-] |
| >Reading the ffmpeg twitter account is enough to turn me off using ffmpeg. What's the alternative? |
| |
| ▲ | mmastrac 8 hours ago | parent [-] | | There is not much, unless you're working with AV1. rav1d is the alternative there but you've got to trade off some performance for security gains. ffmpeg is a monopoly in the space which means that you either take the exact set of tradeoffs they offer, or... well, you have no alternatives, so take it. Of course the alternatives are never going to be as good as the originals until they've had more effort put into them. It took _years_ until the Rust gzip/zip libraries surpassed the C ones while being more secure overall. |
|
|
| ▲ | throwaway94487 a day ago | parent | prev [-] |
| How many of those "remotely exploitable CVEs" have actually been exploited in the wild? Quite a few are denial-of-service and memory leak CVEs too, which Rust doesn't consider to be unsafe. |
| |
