Hell, I don’t submit help requests without a confident understanding of what’s wrong.

Hi Amazon. My cart, ID xyz123, failed to check out. Your browser javascript seems to be throwing an error on line 173 of “null is not an object”. I think this is because the variable is overwritten in line 124, but only when the number of items AND the total cart price are prime.

Generally, by the time I have my full support request, I have either solved my problem or solved theirs.

I agree that this is a problem.

“Responsible disclosure” is a thing where an organization is given time to fix their code and deploy before the vulnerability is made public. Failing to fix the issue in a reasonable time, especially a timeline that your org has publicly agreed to, will cause reputational harm and is thus an incentive to write good code that is free of vulns and to remediate ones when they are identified.

This breaks down when the “organization” in question is just a few people with some free time who made something so fundamentally awesome that the world depends on it and have never been compensated for their incredible contributions to everyone.

“Responsible disclosure” in this case needs a bit of a redesign when the org is volunteer work instead of a company making profit. There’s no real reputational harm to ffmpeg, since users don’t necessarily know they use it, but the broader community recognizes the risk, and the maintainers feel obligated to fix issues. Additionally, a publicly disclosed vulnerability puts tons of innocent users at risk.

I don’t dislike AI-based code analysis. It can theoretically prevent zero-days when someone malicious else finds an issue first, but running AI tools against that xkcd-tiny-block and expecting that the maintainers have the ability to fit into a billion-dollar-company’s timeline is unreasonable. Google et al. should keep risks or vulnerabilities private when disclosing them to FOSS maintainers instead of holding them to the same standard as a corporation by posting issues to a git repo.

A RCE or similar critical issue in ffmpeg would be a real issue with widespread impact, given how broadly it is used. That suggests that it should be broadly supported. The social contract with LGPL, GPL, and FOSS in general is that code is released ‘as is, with no warranty’. Want to fix a problem, go for it! Only calling out problem just makes you a dick: Google, Amazon, Microsoft, 100’s of others.

As many have already stated: If a grossly profitable business depends on a “tiny” piece of code they aren’t paying for, they have two options: pay for the code (fund maintenance) or make their own. I’d also support a few headlines like “New Google Chrome vulnerability will let hackers steal you children and house!” or “watching this youtube video will set your computer on fire!”

I don’t know that ‘Conservative’ exists anymore. I’m American, but I think these comments work everywhere else, as Authoritarianism rises.

Growing up, I believed that liberal/conservative was just a difference in approach, but not a difference in end-goal. Both ‘teams’ wanted the country to prosper. In my 40s, now, I clearly see that we have different goals: Liberals want everyone to be prosperous, healthy, fulfilled. Conservatives value the prosperity only of those on top.

You may identify as conservative, little ‘c’, respect tradition and be careful with spending, etc; but I want you to closely evaluate the actions of people using that label across the globe. A vote for a conservative or right-wing candidate is a vote for the top 1% or less of the population of the planet. They may align with you on some topics, such as religion, abortion, fiscal policies, regulations, and more; but that is a ploy and they are absolutely willing to throw you away as soon as they have your vote and will cut everything you depend on once in power in order to pad their own pockets.

There are certainly perverse incentives and systemic issues that make even liberal politicians support bad policies, but the voter bloc that is ‘liberal’ wants to make things better for everyone. The conservative politicians, at least in the US where I’m paying attention, seem to be hell-bent on making things worse instead.

This has less to do with Trump’s actions, and more to do with how the convervatives behaved…