upvote

points

by simjnd11 hours ago |
comments
upvoteby LegionMammal9788 hours ago|
next
[-]
On the other hand, there's been an endless parade of recent posts from other FOSS maintainers saying "we don't want your drive-by PRs": it's not hard to see people getting dissuaded from the whole dance of determining whether a project is receptive at all, then whether it has a reasonable number of hoops for outsiders to jump through.

Now, personally, when I file a bug report for a FOSS project I like to suggest an underlying cause and fix if I can figure it out, but I more rarely just submit a PR outright.

reply
upvoteby ftchd7 hours ago|
parent|
next
[-]
If I have to choose between no PR and a "drive-by PR" where the author doesn't understand the changes to have a discussion, or isn't available to do changes and expects me to "take it from there", then I'd much rather go with "no PR" for the sake of everyone.
reply
upvoteby sph5 hours ago|
parent|
prev|
next
[-]
On the third hand, pestering and shaming open-source maintainers because they don't accept your PR is how you get the XZ backdoor situation.
reply
upvoteby xboxnolifes4 hours ago|
parent|
prev|
[-]
There is a different dynamic between this and that.
reply
upvoteby codedokode9 hours ago|
prev|
[-]
If there are so many vulnerabilities, should not they change approach to development, for example, use memory-safe languages, static analysis, do not use dubious "hacks" that break it?
reply
upvoteby ivanjermakov9 hours ago|
parent|
next
[-]
Memory safety and critical performance rarely go together. Big chunk of FFmpeg is written in assembly to sqweeze most hardware performance.

https://news.ycombinator.com/item?id=43140614

reply
upvoteby IshKebab7 hours ago|
parent|
[-]
Sure but it seems like most of these vulnerabilities are being found in the C code.
reply
upvoteby cryo329 hours ago|
parent|
prev|
[-]
No. They tried that with coreutils and look what happened. More CVEs.

99% of what I throw though ffmpeg is trusted i.e. I created it. It’s not a major risk.

reply
upvoteby acdha9 hours ago|
parent|
next
[-]
coreutils was a category error: they took a set of tools which were not very exposed to memory safety errors and rewrote them in a language which does nothing to prevent the kind of logic errors coreutils has suffered from (mostly races around file operations). It’s like complaining that an airbag didn’t save you after driving into a lake.

In contrast, ffmpeg is exactly the sweet spot for a memory-safe language with those complex decoders operating on data which is often untrusted. I wouldn’t suggest a project of that scale lightly but it’s at least a near-perfect fit on the problem domain.

reply
upvoteby anoneng8 hours ago|
parent|
next
[-]
I would say it’s the opposite. coreutils is core utils, you cannot write shell scripts without them, they are widely and almost unavoidably used in trusted environments. They are also relatively simple.

With ffmpeg, anyone who knows anything about secure application development in the past 20 years knows that it is a huge security tarpit and throwing it untrusted inputs in trusted environment is asking to be owned. You thoroughly sandbox that shit. That’s true for all untrusted media conversion, but absolutely with ffmpeg.

reply
upvoteby zahlman5 hours ago|
parent|
[-]
> you cannot write shell scripts without them, they are widely and almost unavoidably used in trusted environments.

True.

That doesn't make them "very exposed to memory safety errors".

reply
upvoteby krageon8 hours ago|
parent|
prev|
next
[-]
The coreutils rewrite was shit because of the license change. Most of the other founding ideas were also bad as you say, but the license change was absolutely a much worse signal. Just a bunch of people rolling over and showing big corps their belly. And for what? So they can be more exploited by people that treat them like cattle.
reply
upvoteby IshKebab7 hours ago|
parent|
prev|
[-]
Rust does not do "nothing" to prevent logic errors. On the contrary, its strong type system makes them much less likely than in C.

Also security isn't the only reason to prefer Rust to C.

But I do agree ffmpeg would see a much bigger benefit from being written in Rust.

reply
upvoteby codedokode9 hours ago|
parent|
prev|
[-]
In case with coreutils, as I remember, there were mostly race conditions. Not memory safety issues. Maybe we just need better I/O libraries.
reply
upvoteby uecker7 hours ago|
parent|
[-]
Or use a buffer abstraction in C. This is not exactly rocket science. The "this is impossible to prevent in C" nonsense does far more harm than good.
reply
upvoteby shermantanktop3 hours ago|
parent|
next
[-]
Errors are easily found and corrected for a modest one-person project in C.

But we’re combining probability of error creation (which is effectively constant) and the limits of human cognition.

Some things are impossible at one scale, become possible at another, and become inevitable at yet another.

reply
upvoteby codedokode5 hours ago|
parent|
prev|
[-]
To be fair, C is a pain to use, so it is better to improve Rust. It is annoying when for example, you have to free several allocated structures when there is an error in the middle of a functon.
reply
upvoteby uecker4 hours ago|
parent|
[-]
I personally like to use C and find Rust annoyingly complex. I think it may be an alternative to C++, but C++ is also too complex for my taste. I do not find it annoying to free several allocated structures when there is an error, but one could also automate this with a often used extension.

There is also the question whether trading memory safety against supply chain risks is really worth it.

reply