SAARS, may we redeem a source that is no twitters anus? doing the needful benc hood and all that.

>>107097429
Just sounds like it's another case of an opensource project letting an unhinged noncoder retard run their social media.

File: Screenshot_2025-11-03_21-39-40.png (132 KB, 803x463)

132 KB PNG

>>107097429
>You're a very cruel man.
kek

>>107097429
The real blackpill is realizing that ffmpeg only really provide software decoders, everything else is just wrapping other libraries.

>>107097618
this and the GPU accelerated ones balloon the filesize

>>107097618
ffmpeg provides muxing and demuxing. The only comparable program I can think of is mkvtoolnix and even that's only for .mkv files

not related to project, no patch
>fix this shit ASAP
>how long until it's fixed?
>people are getting hacked right now
telling him to fuck off isn't that unreasonable

The ffmpeg fag Twitter is clearly in the wrong here. It's standard practice in security research to do responsible disclosure privately and then set a deadline to release details publicly. This isn't a malicious thing. Security's researchers live and die on their portfolios. Telling him never to release details is like telling him to quit his job.

>>107097899
Cool story, Tavis.

>>107097429
>Is ffmpeg backdoored?
Ye bro someone will backdoor your PC while you convert that sick 360 no scope clip to post it on /v/

>>107097429
love how sensitive the ffmpeg devs are (or whoever is behind the twatter account)
imagine making yourself responsible for maintaining some software (even if it's for free), and then complain about someone who comes telling you that you should follow standard procedure when mitigating vulnerabilities in the software you made yourself responsible for.

developers are such crybabies and snowflakes.

>>107097471
>tech illiterate zogduke (and other e-celebs) and their tech illiterate "followers" still don't know who operates @ffmpeg, although it's trivial to figure that out
lmao
this is one of the funniest side stories in the last two weeks. it should be logically impossible to be >100% wrong about something (or someone), but /g/eetoids and the general e-celeb scene manage it with ease everyday.

>>107098842
The problem is that Google is flooding their bugtracker with issues made by AI for some codecs that no one has used in 20 years. But then again they could just tell them to fuck off or submit their own fixes.

>>107099512
>The problem is that Google is flooding their bugtracker with issues made by AI for some codecs that no one has used in 20 years
from what I read on twatter,taviso claims that these vulns are being exploited. so, who is wrong here?

>>107097429
I fucking love the ffmpeg twitter

If a vulnerability exists, and ffmpeg is unwilling to do anything about it then the only responsible thing to do is disclose it publicly so people can mitigate it themselves

maybe they shouldve thought about that before building their entire infrastructure around a hacky opensource tool id tell him to put on a dress and rewrite it in rust himself

>>107100173
Or they can just fix the problems on their internal fork and stop disclosing anything because it's obviously a waste of time.

>>107097551
>>107097429
what is a pipeline?
k, thanks
you can fuck off now, we may patch it when we get aroung to it
don't like it? fuck off.
better yet, fuck off and do it yourself.

>>107099479
hello DWSN, it's michael isn't it? hahaha

>>107100400
>it's michael isn't it?
nope. although the image of michael trying to use a shit app/site like X is indeed very funny. lol

>>107097551
Only god knows how much I hate faggots. Too many homos in tech

>>107097429
I actually went through all the recent posts.
Stop roofieing people with your AI slop, faggots. No means no.

>>107099776
it's an AI account

>>107099512
AI is the future and by refusing it ffmpeg is just making the way to being left behind. Theyre in the wrong and Google did nothing bad.

>>107103242
https://en.wikipedia.org/wiki/Tavis_Ormandy
Are you fucking retarded?

>>107099776
The thing is it always comes back to the issue of who's gonna (pay to) fix it? Because google sure isn't offering any help or money. Which is what it's all about.

>REEEE IT'S AN OBSCURE CODEC, IT'S JUST HOBBY CODE!!!! STOP BOTHERING ME WITH VULNERABILITY REPORTS!!!
If it is enabled in ffmpeg by default then it doesn't matter how obscure the codec is, it doesn't really matter that an AI found it either, yeah it might not have been found by a human being but that's not a guarantee especially given how autistic hackers are, they love delving into obscure ignored code and finding a way to fuck with it. ffmpeg has no excuse here if their code is full of holes.

>google trying to kill old codecs
Lmao even

>>107103443
Also yeah decoding is pretty vulnerable by nature, but that is a reason for ffmpeg to NOT have every possible codec enabled by default. As long as the most relevant codecs are enabled by default it still services almost its entire userbase, and anyone who wants that extra functionality could just compile it themselves with their necessary codecs involved.

>>107103443
b-b-but /g/ told me AI was a meme

>>107103279
totally not an AI generated "article"

>>107097429
FFmpeg devs want to be worshiped for maintaining software that is used everywhere without being burdened by actually having to perform the maintenance necessary for software that is used everywhere.

>>107103664
>>107103443
I am with FFMPEG on this, its run by a very small team and they don't get paid. You want to disclose a security vulerability at least submit a PR . so many companies use ffmpeg without paying jack shit

>>107098842
Feel free to pay for him to give a shit about you getting owned
Protip: kys

actual engineers would go to prison if people died for their miscalculations
meanwhile, software devs: >>107103816

>>107103789
I'm pretty sure these were disclosed privately way before being published, that is generally how it works. If that isn't what happened, and google did publish these vulnerabilities publicly before ever privately reaching out, I am on ffmpeg's side.

>>107104065
dumb retard
>THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

>>107104187
>AI at bulk discovers bugs
>AI bot auto-published them ASAP
>malware coder uses AI to scrap the CVE page
>5 days later there're already victims
The absolute state of 2025.

>>107104256
Yeah if that is the situation the ffmpeg team has absolutely every reason to be angry. Publishing a huge list of vulnerabilities without prior private messaging or warning at all is absolutely malicious and serves no purpose other than to spread malware.

here you can see the snowflake dev pretends to be a tough guy while running away from responsilibities >>107104211
lmao

>>107097429
we must rewrite ffmpeg in rust asap
I'll make the logo

ffmpegged

>>107104909
>a tech illiterate dumb retard who never glanced over any open source license text ever
every single time

the dev thinks he can avoid responsibility by writing some text in a piece of paper, as if that meant anything against the law >>107105230

>>107105264
>a piece of paper
lol
>meant anything against the law
That license is the law, genius.

File: 1751867374149568.png (129 KB, 763x802)

129 KB PNG

Okay, FFmpeg's approach to security is very concerning.

>>107097429
FFmpeg is in the right as usual. Billion/trillion dollar companies use FFmpeg everyday to earn billions and they give absolutely nothing in return. Neither money nor contribute patches. These attacks on ffmpeg in recent days have been by people like this that earn a lot of money from ffmpeg while being a complete leech.

>>107105390
Ok, then write your own ffmpeg instead of bitching about it, or submit PRs to fix the vulerabilities?

oh wait, they want to continue using it for free and push massive loads of work to people volunteering their time and have other jobs.

>>107098842
>software you made yourself responsible for
There is no such thing. It's people that work on software on their free time because they want to. They have no obligation to do anything for anyone else, you are the one that is putting them on that seat.

>>107105434
>NOOO if you find a vulnerability you have to keep it secret forever, because I'm too lazy to fix it!!!
How is anybody even supposed to send patches if the vuln should never be published? Do they just want to have a hidden backdoor that only people in the know exploit?

>>107105431
>FFmpeg is in the right as usual.
They're not
>Billion/trillion dollar companies use FFmpeg everyday to earn billions and they give absolutely nothing in return. Neither money nor contribute patches.
You're wrong again, They do contribute things. Tons of things.
>These attacks on ffmpeg in recent days have been by people like this that earn a lot of money from ffmpeg while being a complete leech.
Pointing out vulnerabilities in software that is widely distributed and that interacts with the outside world is not leeching. It's contributing.

>>107105434
Uh, yeah. that's not how open source works.

>>107105454
>They have no obligation to do anything for anyone else
No, they do actually. That's what being a maintainer is. Maintain or resign.

Funny how many brown nocoder simps the ffmpeg X account attracts.

>>107105328
>That license is the law, genius.
you have no clue about anything lmao

>>107105651
hurr durr no u lol do not want MOMMMMMM

>>107105573
/g/ is nothing but bad faith retard trolls. so boring being here.

>>107105563
>you have to keep it secret forever
Nobody is saying that you're just strawmanning. Google published these vulnerabilities, for all we know, without any prior warning and with no proof that these vulns were know or being abused by anyone. They used their AI to detect vulns that nobody knew about and then published them before the ffmpeg team could patch them, which is straight up malicious and not beneficial to anyone.

any reason I shouldn't set up ffmpeg in a cloudflare worker and use cloudflare for free and quick processing?

>>107105853
You just quoted a bad faith troll, did you know that?

>>107105853
All boards are run like /b/×/pol/, that is the directive...

>>107105853
That's not true! There are also a ton of genuine single digit IQ troglodytes that think they're gods personal gift to the tech space.

Security "researchers" are circlejerking faggots, but if the ffmpeg guys really don't care about fixing this they should just disable the responsible codec.

>>107105887
>with no proof that these vulns were know or being abused by anyone
absolutely retarded take

>>107106018
It isn't when that is the main argument being used by the Google team as to why these vulns needed to be disclosed immediately.

>>107106033
the presumption should always be that all vulns in your software have already been discovered by threat actors and are being exploited

>>107105887
>They used their AI to detect vulns that nobody knew about and then published them
Great, wasn't ffmpeg one of the projects that had to shut down issues for a while because they got spammed by this exact type of AI farmed shit? As if I need more reasons to hate google.

>>107106063
It is standard practice to disclose the vulnerabilities PRIVATELY with the developers before making anything public.

>>107106121
in tavis' case that's exactly what was done

People can fork a project you know

>>107106169
Yeah and strangely he doesn't admit how much time he gave ffmpeg, if any, to patch the gigantic pile of vulnerabilities his AI shit out for him.

>>107106283
nice goalpost shift

>>107106169
>>107106283
>>107106303
These scripted bot dramas are so tiresome.

>>107097429
because they get little to no money yet sec researchers blame them instead of blaming how the entirety of the industry relies on ffmpeg and openly violates the license and gives zero fucks about anything regarding ffmpeg, the codebase is also a shitfest and has been more or less forever and the few attempts to improve ended up in forks that eventually got left behind or became abandoned since the ffmpeg devs don't really care about much past covering a lot of codecs and getting good performance out of a few

>>107106007
ffmpeg doesn't even distribute binaries, if you build with the old ass extremely obscure codecs it's your fault for building with them

File: 27527654367.png (43 KB, 593x301)

43 KB PNG

>>107097429
>>107097551
>deleted his post
Fucking lmao pussy couldn't even stand by his words

>>107106791
>he doesn't realize what this means
he's being told by some 3 letter agency to shut up kek

btw, thanks taviso for the 0day

>>107105573
i'm adding "it's their job" and "they should resign" (talking about open source contributors) to the tard list started @ >>107100549.
thank you for your contribution.

>>107105894
what the fuck do you think i made my comment for?

>>107098842
Supposedly the dude who runs the ffmpeg twitter is a vlc maintainer.

>>107107154
so it's a troll?

File: file.png (96 KB, 531x435)

96 KB PNG

>>107107154
>forgot pic
>>107107176
No he's a legit member of the ffmpeg team. It's just he's also a vlc maintainer. (I realise now how convoluted I made it my pointing out the vlc part). But yeah he's just a dick.

>>107107154
nope.
even minimum tech literacy is too much to ask of /g/eets.
>>107099479

File: file.png (48 KB, 577x326)

48 KB PNG

>>107107189
>>107107205
Fair enough. They do deny it. But I'd deny it to if i was the only one with the password and literally no one can take it away from me.

> And he who controls the battlefield... controls history. War has changed.

>>107107044
Fixing security vulnerabilities is their job, yes. There is no doubt about that as they even admit it themselves.
And yes, 'maintainer' is a position they can resign from. And they should, if they aren't willing to perform the duties expected of a maintainer for a large FLOSS project.

Any other stupid comments you need to be BTFO'd on?

File: wave_nofilter.gif (91 KB, 220x131)

91 KB GIF

>>107107205
Hi denis.

>>107104211
>TO THE EXTENT PERMITTED BY APPLICABLE LAW
get fucked snowflakes, software is being regulated in the EU and many other places as every other product and service
you had a very stupid privilege toxic for the society that lasted for way too much

>>107107228
all the shit posting is done by ONE person. and he is not french ;);)
anyone with with minimal tech literacy levels knows, or could very very very easily know who that person is. but that minimum literacy level continues to filter /g/eets and e-celeb tards.
yet, literal tech illiterates continue to comment on such matters. lmao.
it seems the lols will indeed continue.

>>107107237
>stupid comment
>large FLOSS with just one maintainer
Whose expectations should we forcibly resign people with? Dipshit, if you don't like how something is being done, cry about it, or fork the code. That is how ``open source'' works.

>>107107357
oh no, u-rope is going to sue my public repos. and that's totally what regulating software means. i'm deleting everything as we speak.
(mutt hours are out tarding jeet hours today/tonight. that's a nice change from the usual.)

>"tech literate" means you have to know the name of whatever wannabe e-celev dev currently leads a project, even though they are not the creator (an actual celeb in the dev world)
lmao @ this board

Hi, I'm Shane Blalock, a Junior Engineer at Google Project Zero!
So, I discovered that there is an Imagemagick-style exploit in FFmpeg, when processing an input video.
For example, an "mp4" file whose file contents contains the string

'\n( ); | NUL NUL \r | ) echo hacked

will actually run the command

echo hacked

This is not cool. Because it is not safe!
So, I would encourage the developers of FFmpeg to first read our Code of Conduct then register with MadeWithGoogle.com/BugBounties. We require 2FA

>>107109342
lmao

File: 1752923619832909.jpg (433 KB, 1080x1282)

433 KB JPG

>>107097429
YOU. WILL. DO. IT. FOR. FREE.
chuddy
cuz big tech is using your software

ffmpeg should just have said "feel free to send the pull request with the fix".
no need for all this drama.

>>107109614
That's pretty much what they do. The Twitter account is there to troll corporate leeches and to remind people that talk is cheap.

>>107109577
vendors sell software. did they buy ffmpeg? do they have a service contract with ffmpeg?

File: 1751002741594796.png (75 KB, 910x282)

75 KB PNG

Reminder

>>107109676
this fag is playing mental gymnastics, argues with like 20 different people, and comes off as a whinny entitled bitch
he can't tell the difference between the volunteer work and doing it for money

File: 257535_1152x1158-2244389851.jpg (87 KB, 1152x1158)

87 KB JPG

>>107109687
>i'm important fix my issue first

Is using yt-dlp with ffmpeg installed, safe?

>>107110110
sure why not

>>107105390
these heck'n hackers might get you! well... if these lists of very specific steps happen to happen!

>>107099776
I'd love to see a singular realworld example of anyone being effected by a vulnerability in some obscure 90s Starwars cutscene format

>>107108500
>he must be a wanna be e-celeb
>there is no way to know things, one can only guess
lmao indeed

>>107097618
>decoders
???? Did you mean encoders?

>>107110744
not him but ffmpeg has more decoders than encoders, and most of the time people use external encoders like x264, svt-av1, libopus, etc
run "ffmpeg -formats" and note how many have "D" (decoding) versus "E" (encoding)

>>107110823
"ffmpeg -codecs", i mean, formats is for containers et al.

File: enc_vs_dec.png (15 KB, 960x430)

15 KB PNG

>>107110823
>>107110831

>>107110823
It's the first time I hear those are external encoders, though I vaguely remember needing an extended build for something, maybe for the ability to use something other than the default av1 encoder, which I believe to be libaom.
DEV.L. av1 Alliance for Open Media AV1 (decoders: libdav1d libaom-av1 av1 av1_cuvid av1_qsv av1_amf) (encoders: libaom-av1 librav1e libsvtav1 av1_nvenc av1_qsv av1_amf av1_mf av1_vaapi)

DEV.LS h264 H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10 (decoders: h264 h264_qsv libopenh264 h264_amf h264_cuvid) (encoders: libx264 libx264rgb libopenh264 h264_amf h264_mf h264_nvenc h264_qsv h264_vaapi h264_vulkan)

DEAIL. opus Opus (Opus Interactive Audio Codec) (decoders: opus libopus) (encoders: opus libopus)

Faggot.

>>107110924
keep in mine i mean "external" as in "not developed by ffmpeg", not necessarily external as in separate files. you can get static builds of ffmpeg which have them all in one file

>>107110924
>>107110947
-- also in some cases there's both an internal and external option, like for aac there's "aac", ffmpeg's encoder, which has at least historically been lower quality than say, libfaac, an external encoder, so keep that in mind when specifying a codec

File: 1092.jpg (116 KB, 1152x2048)

116 KB JPG

>>107097899

>>107110304
not sure if retarded or just pretending, but as long as the file is processed by the target, it doesn't matter if the file is 200 years old.


>>107107154
>vlc maintainer.
oh, no wonder. VLC has to be the piece of software with the most vulnerabilities out there

>>107099512
If it is a feature they still fully support and it is a security vulnerability like it was in one of the cases they are mad and posting publicly about, what should anybody be doing?
They don't want to remove support for a codec because somebody worked hard on it, they don't want to disable playing it back by default for some fucking reason and then they are mad that google posted a bug report that would go public in 90 days if not fixed.

File: 2025-11-06_000837.png (25 KB, 709x300)

25 KB PNG

>>107107189
He works for Huawei, maybe it is really backdoored

>>107109577
that must be bait

>>107109577
>free open source project
>"vendor"
Faggot needs to turn off his goonime and pick up a dictionary.

>>107099776
>taviso claims that these vulns are being exploited
The easy approach is for FFMPEG to simply make it easy to not build those codecs, and turn round and say that they're not recommended and not part of the security fix schedule, but that if some parties (such as fucking Google) that want to have them fixed so they can enable them contribute patches then their work will be considered.
IOW, turn 'em off if you're security conscious, or give us a fix, or live with the consequences you chose.

File: opinion.jpg (58 KB, 625x352)

58 KB JPG

>>107109577
>YOU. WILL. DO. IT. FOR. FREE.

File: AppArmor_logo.svg.png (25 KB, 480x480)

25 KB PNG

>>107097429
>Muh security in depth
Unironically this, this is why some practical UI is needed for systems like firejail etc.
These exist for Windows, too.

You cannot depend on patching exploits, there is always a lag.

>>107110744
>>107110924
>It's the first time I hear those are external encoders
kek, retarded ffmpeg shills don't even know what they're shilling for. Insane.

>mfw Google operates a bug bounty program for ffmpeg and pays up to 15k for a patch
Sounds to me like ffmpeg are just ungrateful children

So can someone give me a QRD on what steps need to happen in order for the epic hackers to get me and what can they actually do?

>>107097429
A proper security report for a vulnerability, would have some steps in how to fix it.

>>107117721
Step 1. Be an important target.
Knowing that, you have nothing to worry about.

>>107116939
>IOW, turn 'em off if you're security conscious, or give us a fix
anon, if you decide to make yourself responsible for something, you decide to accept the consequences of your decision. you don't want to fix vulnerable shit? step down and let others become responsible. you still want to be a maintainer but don't want to deal with the responsibility as a maintainer? well.... hope you don't get sued for refusing to do your fucking job
>b-but you haven't paid me a single cent
you know, you accepted these terms...

>>107117721
Look up the VLC Facebook pedo

>>107097618
As they should. God help us if retards start flooding the internet with
>DEVILS
AHAHAHAHHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

>>107106791
why is everyone on google's payroll such passive aggressive foid brained sois? insanely insufferable people

they should fix the vuln and make the patch agpl
>>107106007
that would be giving google what they want. funneling everyone to their garbage
>>107105889
won't you run into execution limits like instantly?

>>107110877
>$ ffmpeg -codecs
>Codecs:
> D..... = Decoding supported
> ..D... = Data codec

$ ffmpeg -hide_banner -codecs | perl -ne 'print if /\A\s+D/' | wc -l
496
$ ffmpeg -hide_banner -codecs | perl -ne 'print if /\A\s+.E/' | wc -l
186