| ▲ | loeg 7 hours ago |
| They're also extremely hostile to security researchers who report these issues. |
|
| ▲ | insanitybit 6 hours ago | parent | next [-] |
| https://x.com/ffmpeg/status/2039115531744334180?s=46&t=qCSkw... Security is the punch line for ffmpeg. |
| |
| ▲ | grahamjperrin 6 hours ago | parent | next [-] | | I'm glad to see their sense of humour :-) https://nitter.net/ffmpeg/status/2039115531744334180 | | |
| ▲ | KPGv2 4 hours ago | parent [-] | | > Assembly is a human readable version of machine code. It's exactly the same. goddamn, and this is a project that prides itself on having had-written assembly in it | | |
| ▲ | breppp 2 hours ago | parent [-] | | There's certainly assembly that maps directly to the machine language bytes, I assume you are talking about the version of assembly with the high level loop macros | | |
| ▲ | rcbdev an hour ago | parent [-] | | In some circles, High Level Assembly (HLA) is lovingly called "Mainframe Assembly". |
|
|
| |
| ▲ | stackghost an hour ago | parent | prev | next [-] | | In their defense, the "rewrite it in rust" crowd can be really grating. | |
| ▲ | hootz 6 hours ago | parent | prev | next [-] | | Oh my god! They are so funny and memeable! gets RCE'd | |
| ▲ | KPGv2 4 hours ago | parent | prev [-] | | Apr Fools Day really is the shittiest day to be online. For one thing, practical jokes/pranks are just gussied-up asshole behavior. For another thing, nerds generally SUCK at information-delivery pranks, which is what the Internet is full of on Apr 1. |
|
|
| ▲ | lkt 3 hours ago | parent | prev | next [-] |
| The guy running the twitter account is incompetent but the actual devs are a lot saner I think. I agree it reflects poorly on them though |
|
| ▲ | grahamjperrin 6 hours ago | parent | prev | next [-] |
| > … hostile to security researchers who report these issues. Do you have an example? |
| |
| ▲ | lukaslalinsky 2 hours ago | parent | next [-] | | I don't have an example, but I know the pattern. You are working on your software, security researcher finds a bug, it's in your project, for you it's just another bug, but for them it's a point on their CV, so they make a theater about it, and expect priority in dealing with it. It must get tiring if you get many of these. | |
| ▲ | naturalmovement 5 hours ago | parent | prev [-] | | I have numerous examples of security researchers being hostile and impossible to work with (but cannot share them unfortunately). |
|
|
| ▲ | duped 3 hours ago | parent | prev [-] |
| One dude running an X account is not indicative of a community to be honest. That said, that dude has a point. "Researchers" chasing clout with their names attached to CVEs is kind of ridiculous. Half these CVEs are missing bounds checks that can be fixed with a patch in as much effort as writing up the blog post announcing that there was a missing bounds check. |
| |
| ▲ | boomlinde 3 hours ago | parent [-] | | I guess that the perceived problem from a security perspective is that they're there, not that they're necessarily hard to fix once found. |
|
