Want to wade into the sandy surf of the abyss? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful you’ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post — there’s no quota for posting and the bar really isn’t that high.

The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.

(Credit and/or blame to David Gerard for starting this.)

  • Sailor Sega Saturn@awful.systemsEnglish
    12·
    1 day ago

    NotAwfulTech and AwfulTech converged with some ffmpeg drama on twitter over the past few days starting here and still ongoing. This is about an AI generated security report by Google’s “Big Sleep” (with no corresponding Google authored fix, AI or otherwise). Hackernews discussed it here. Looking at ffmpeg’s security page there have been around 24 bigsleep reports fixed.

    ffmpeg pointed out a lot of stuff along the lines of:

    • They are volunteers
    • They have not enough money
    • Certain companies that do use ffmpeg and file security reports also have a lot of money
    • Certain ffmpeg developers are willing to enter consulting roles for companies in exchange for money
    • Their product has no warranty
    • Reviewing LLM generated security bugs royally sucks
    • They’re really just in this for the video codecs moreso than treating every single Use-After-Free bug as a drop-everything emergency
    • Making the first 20 frames of certain Rebel Assault videos slightly more accurate is awesome
    • Think it could be more secure? Patches welcome.
    • They did fix the security report
    • They do take security reports seriously
    • You should not run ffmpeg “in production” if you don’t know what you’re doing.

    All very reasonable points but with the reactions to their tweets you’d think they had proposed killing puppies or something.

    A lot of people seem to forget this part of open source software licenses:

    BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW

    Or that venerable old C code will have memory safety issues for that matter.

    It’s weird that people are freaking out about some UAFs in a C library. This should really be dealt with in enterprise environments via sandboxing / filesystem containers / aslr / control flow integrity / non-executable memory enforcement / only compiling the codecs you need… and oh gee a lot of those improvements could be upstreamed!