nobody really cares about whether or not you’re going to mourn for someone, but I think it shows the content of your character that you felt the need to share that you won’t be mourning him because XYZ. Nobody is perfect, and I wager to guess even the almighty You has a few things in your past you wouldn’t want people to remember about you if you died slowly and painfully very publicly.
Scott Adams said some really stupid, poorly thought out things about minorities and women, and he faced real world consequences for his actions. But he also died slowly and painfully of cancer, and he died crying out for help very publicly. That’s objectively very sad, and if you should ever share the same fate I truly and genuinely hope your loved ones are there and with you, and choose to forgive you of any of your perceived sins.
I guess he got the death that he wished, personally and seriously, upon some large fraction of the Earth's population
I don't want anyone to misconstrue this post as satire or exaggeration. So I'll reiterate. If you have acted, or plan to act, in a way that keeps doctor-assisted suicide illegal, I see you as an accomplice in torturing my father, and perhaps me as well someday. I want you to die a painful death, and soon. And I'd be happy to tell you the same thing to your face.
I'm not obliged to mourn someone that spread hatred against the group of people I belonged to, even moreso when they didn't show any regret about their words at the end of their lifetimes
Look at the entirety of this thread. You are trying to reason with reptiles. The more you try to appeal to their humanity or decency, the harder they will double down on their psychotic behaviour.
René Girard explained this mechanism in his mimetic theory and the scapegoat mechanism. People here on hacker news are generally not fully formed human beings, and they instinctively believe that the more they group together in hate against different individuals, the more they will personally benefit. You see it here in every thread, no matter what subject.
>Scott Adams said some really stupid, poorly thought out things about minorities and women, and he faced real world consequences for his actions
Or may be he did know that there would be consequences? Many people who are financially secure do make provocative statements. I think he did many of us a favor, because many of us still have to earn a living and cannot speak out.
Sounds like you’d be better off applying to real companies. You sound very smart, or at least capable of people skills and learning. Don’t waste yourself at Microsoft
But it didn't promise to be the solution either. Rust has never claimed, nor have its advocates claimed, that unsafe Rust can eliminate memory bugs. Safe Rust can do that (assuming any unsafe code relied upon is sound), but unsafe cannot be and has never promised to be bug free.
Except that it didn't fail to be the solution: the bug is localized to an explicit escape hatch in Rust's safety rules, rather than being a latent property of the system.
(I think the underlying philosophical disagreement here is this: I think software is always going to have bugs, and that Rust can't - and doesn't promise - to perfectly eliminate them. Instead, what Rust does promise - and deliver on - is that the entire class of memory safety bugs can be eliminated by construction in safe Rust, and localized when present to errors in unsafe Rust. Insofar as that's the promise, Rust has delivered here.)
You can label something an "explicit escape hatch" or a "latent property of the system", but in the end such labels are irrelevant. While I agree that it may be easier to review unsafe blocks in Rust compared to reviewing pointer arithmetic, union accesses, and free in C because "unsafe" is a bit more obvious in the source, I think selling this as a game changer was always an exaggeration.
Having written lots of C and C++ before Rust, this kind of local reasoning + correctness by construction is absolutely a game changer. It's just not a silver bullet, and efforts to miscast Rust as incorrectly claiming to be one seem heavy-handed.
Google's feedback seems to suggest Rust actually might be a silver bullet, in the specific sense meant in the "No Silver Bullet" essay.
That essay doesn't say that silver bullets are a panacea or cure all, instead they're a decimal order of magnitude improvement. The essay gives the example of Structured Programming, an idea which feels so obvious to us today that it's unspoken, but it's really true that once upon a time people wrote unstructured programs (today the only "language" where you even could do this is assembly and nobody does it) where you just jump arbitrarily to unrelated code and resume execution. The result is fucking chaos and languages where you never do that delivered a huge improvement even before I wrote my first line of code in the 1980s.
Google did find that sort of effect in Rust over C++.
Yeah you’re so right! We should not even look at them at all or analyze them because they are being released in the way you don’t agree with… bro really?
Not too fond of maintainers getting too uppity about this stuff. I get that it can be frustrating to receive bug report after bug report from people who are unwilling or unable to contribute to the code base, or at the very least to donate to the team.
But the way I see it, a bug report is a bug report, no matter how small or big the bug or the team, it should be addressed.
I don’t know, I’m not exactly a pillar of the FOSS community with weight behind my words.
When you already work 40+ hours a week and big companies suddenly start an AI snowblower that shoots a dozen extra hours of work every week at you without doing anything to balance that (like, for instance, also opening PRs with patches that fix the bugs), the relationship starts feeling like being an unpaid employee of their project.
What's the point of just showering these things with bug reports when the same tool (or a similar one) can also apparently fix the problem too?
The problem with security reports in general is security people are rampant self-promoters. (Linus once called them something worse.)
Imagine you're a humble volunteer OSS developer. If a security researcher finds a bug in your code they're going to make up a cute name for it, start a website with a logo, Google is going to give them a million dollar bounty, they're going to go to Defcon and get a prize and I assume go to some kind of secret security people orgy where everyone is dressed like they're in The Matrix.
Nobody is going to do any of this for you when you fix it.
Except that the only people publicizing this bug were the people running the ffmpeg Twitter account. Without them it would have been one of thousands of vulnerabilities reported with no fanfare, no logos, and no conference talks.
Doesn't really fit with your narrative of security researchers as shameless glory hounds, does it?
How do they know that next week it's not going to be one of those 10 page Project Zero blog posts? (Which like all Google engineer blog posts, usually end up mostly being about how smart the person who wrote the blog post is.)
Note FFmpeg and cURL have already had maintainers quit from burnout from too much attention from security researchers.
If Google wanted nothing more than to simply make blog posts, why wouldn't they just only report the big bugs that they can make blog posts out of (and avoid having to spend any resources on finding the rest) ?
I don't know if you'd be satisfied with that, but certainly this would allow them to easily make the blog posts you seem to be complaining about, all while making the load on maintainers rather minimal, at least insofar as blog posts appear to be quite infrequent compared to the total amount of vulnerabilities they report - around 20 vulnerability reports per year certainly seems like a manageable load for the entire FOSS community to bear, especially given almost none of these 20 yearly vulnerability reports would go to ffmpeg (if not literally none, given the Project Zero blog has 0 search results for "ffmpeg" or "libav"), and a significant portion of their blog posts aren't even about FOSS at all but instead about proprietary software like the operating systems Microsoft and Apple make.
I do think such a thing would be bad for everyone, though (including the ffmpeg developers themselves, to be honest) - Project Zero is good for everyone's security, in my opinion, and even if all FOSS developers were to universally decide to reject all Project Zero reports that don't come with a patch, and Google decided to still not make such patches, people being able to know that these vulnerabilities exist is still a good thing nonetheless - certainly much better than more vulnerabilities being left in for malicious actors to discover and use in zero-day attacks.
There is a convergence of very annoying trends happening: more and more are garbage found and written using AI and with an impact which is questionable at best, the way CVE are published and classified is idiotic and platform founding vulnerability research like Google are more and more hostile to projects leaving very little time to actually work on fixes before publishing.
This is leading to more and more open source developers throwing the towel.
They are not published in project bug trackers and are managed completely differently so no, personally, I don't view CVE as bug reports. Also, please, don't distrort what I say and omit part of my comment, thank you.
Some of them are not even bugs in the traditional sense of the world but expected behaviours which can lead to unsecure side effects.
It seems like you might misunderstand what CVEs are? They're just identifiers.
This was a bug, which caused an exploitable security vulnerability. The bug was reported to ffmpeg, over their preferred method for being notified about vulnerabilities in the software they maintain. Once ffmpeg fixed the bug, a CVE number was issued for the purpose of tracking (e.g. which versions are vulnerable, which were never vulnerable, which have a fix).
Having a CVE identifier is important because we can't just talk about "the ffmpeg vulnerability" when there have been a dozen this year, each with different attack surfaces. But it really is just an arbitrary number, while the bug is the actual problem.
I'm not misunderstanding anything. CVE involves a third party and it's not just a number. It's a number and an evaluation of severity.
Things which are usually managed inside a project now have a visibility outside of it. You might justify it as you want like the need to have an identifier. It doesn't fundamentally change how that impacts the dynamic.
Also, the discussion is not about a specific bug. It's a general discussion regarding how Google handles disclosure in the general case.
You could argue that, but I think that a bug is the software failing to do what it was specified, or what it promised to do. If security wasn't promised, it's not a bug.
Which is exactly the case here. This CVE is for a hobby codec written to support digital preservation of a some obscure video files from the 90’s that are used nowhere else. No security was promised.
> it can be frustrating to receive bug report after bug report from people
As the article states, these are AI-generated bug reports. So it's a trillion-dollar company throwing AI slop over the wall and demanding a 90-day turn around from unpaid volunteers.
That is completely irrelevant, the gross part is that (if true) they are demanding them to be fixed in a given time. Sounds like the epitome of entitlement to me, to say the least.
No one is demanding anything, the report itself is a 90 day grace period before being publicly published. If the issues are slop then what exactly is your complaint?
It’s a reproducible use-after-free in a codec that ships by default with most desktop and server distributions. It can be leveraged in an exploit chain to compromise a system.
I'm not a Google fan, but if the maintainers are unable to understand that, I welcome a fork.
The “realism” of graphics has nothing to do with performance. It has to do with shaders which, contrary to your point can be expected in a greater degree in a game that uses cartoonish graphics BUT I don’t even think that the shaders are the culprit. It really just is that Unreal Engine 5 requires insanely high specs because of all of the myriad different cutting edge technologies it employs, all of which BL4 seems to take advantage of including Lumen, Nanite, and level streaming (idk the name for it)
> The “realism” of graphics has nothing to do with performance.
Obviously I understand your point that computational complexity is different than the extent to which something is realistic. But it's totally wrong that it "has nothing it do with" it.
Photorealistic scenes require high res textures, higher detail levels in geometry, better shadows, better global illumination, etc...
Cartoonish art styles don't necessarily require any of those. They still benefit from them, but with diminishing returns.
UE 5 requires so high specs even 5090 can't meet. It's a turd of an engine.
Nanite is a way to make cheaper but lower performance assets (yes, it performs worse than manual Level Of Detail optimizations and quite significantly).
Lumen requirements are so high that for it to perform good you basically have to render at 720p. So they do and then upscale, and it's all blurry and still runs like shit.
Scott Adams said some really stupid, poorly thought out things about minorities and women, and he faced real world consequences for his actions. But he also died slowly and painfully of cancer, and he died crying out for help very publicly. That’s objectively very sad, and if you should ever share the same fate I truly and genuinely hope your loved ones are there and with you, and choose to forgive you of any of your perceived sins.
reply