GabrielTFS (u/GabrielTFS)

GabrielTFS commented on PRC elites voice AI-skepticism jamestown.org/prc-elites-... · Posted by u/JumpCrisscross

> The French Republic has always existed in the nuclear age?

There were two different French republics since 1945 with their own different consitutions (one with a parliamentary system and one semi-presidential).

I'm not sure the quip you are responding to make sense but it's always interesting to remind people that since the USA were founded, France went through three different monarchic systems, two empires, two periods where exceptional constitutional rules applied and five different republics. It puts in light how exceptional the American deference towards their original constitution is.

Considering that the current republic was put in place in 1958, it's also interesting to consider that France managed to be a great power for 150 years while being politicaly extremely unstable. It puts in perspective the current world events.

> The French Republic has always been founded by De Gaulle?

Neither have. Michel Debré was the head of the government supervising the constitutional assembly which drafted the constitution of the 5th French Republic.

GabrielTFS · 23 days ago

Very minor nitpick but I'd have said France went through four different monarchic systems in that time frame (1776-1790 Ancient Régime, 1791-1792 Constitutional monarchy, 1814-1830 Bourbon Restoration and 1830-1848 July Monarchy)

GabrielTFS commented on An official atlas of North Korea cartographerstale.com/p/a... · Posted by u/speckx

edm0nd · a month ago

>It is universally agreed between the two governments (and their citizens) that a unification should happen at some point

South Koreans don't seriously believe this would ever be possible do they?

GabrielTFS · a month ago

I don't think much of anyone thinks unification is actually possible absent some big change, and indeed neither government is truly pursuing it actively (unless "trying to destabilize and make the other government collapse" qualifies). But both are trying to be as ready as possible for unification when the opportunity presents itself (most likely, it would happen in a way alike to German reunification - that is, the government of one of the two countries becomes quite compatible with the other, because the previous form of government in it collapsed and was replaced by that of its neighbor)

GabrielTFS commented on FFmpeg to Google: Fund us or stop sending bugs thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear

astrange · a month ago

How do they know that next week it's not going to be one of those 10 page Project Zero blog posts? (Which like all Google engineer blog posts, usually end up mostly being about how smart the person who wrote the blog post is.)

Note FFmpeg and cURL have already had maintainers quit from burnout from too much attention from security researchers.

GabrielTFS · a month ago

If Google wanted nothing more than to simply make blog posts, why wouldn't they just only report the big bugs that they can make blog posts out of (and avoid having to spend any resources on finding the rest) ?

I don't know if you'd be satisfied with that, but certainly this would allow them to easily make the blog posts you seem to be complaining about, all while making the load on maintainers rather minimal, at least insofar as blog posts appear to be quite infrequent compared to the total amount of vulnerabilities they report - around 20 vulnerability reports per year certainly seems like a manageable load for the entire FOSS community to bear, especially given almost none of these 20 yearly vulnerability reports would go to ffmpeg (if not literally none, given the Project Zero blog has 0 search results for "ffmpeg" or "libav"), and a significant portion of their blog posts aren't even about FOSS at all but instead about proprietary software like the operating systems Microsoft and Apple make.

I do think such a thing would be bad for everyone, though (including the ffmpeg developers themselves, to be honest) - Project Zero is good for everyone's security, in my opinion, and even if all FOSS developers were to universally decide to reject all Project Zero reports that don't come with a patch, and Google decided to still not make such patches, people being able to know that these vulnerabilities exist is still a good thing nonetheless - certainly much better than more vulnerabilities being left in for malicious actors to discover and use in zero-day attacks.

GabrielTFS commented on FFmpeg to Google: Fund us or stop sending bugs thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear

unsungNovelty · a month ago

The first thing you can do is actually read the article. The question is not about the security reports but Google's policy on disclosing the vulnerability after x days. It works for crazy lazy corps. But not for OSS projects.

GabrielTFS · a month ago

In practice, it doesn't matter all that much whether the software project containing the vulnerability has the resources to fix it: if a vulnerability is left in the software, undisclosed to the public, the impact to the users is all the same.

I, and I think most security researchers do too, believe that it would be incredibly negligent for someone who has discovered a security vulnerability to allow it to go unfixed indefinitely without even disclosing its existence. Certainly, ffmpeg developers do not owe security to their users, but security researchers consider that they have a duty to disclose them, even if they go unfixed (and I think most people would prefer to know an unfixed vulnerability exists than to get hit by a 0-day attack). There's gotta be a point where you disclose a vulnerability, the deadline can never be indefinite, otherwise you're just very likely allowing 0-day attacks to occur (in fact, I would think that if this whole thing never happened and we instead got headlines in a year saying "GOOGLE SAT ON CRITICAL VULNERABILITY INVOLVED IN MASSIVE HACK" people would consider what Google did to be far worse).

To be clear, I do in fact think it would be very much best if Google were to use a few millionths of a percent of their revenue to fund ffmpeg, or at least make patches for vulnerabilities. But regardless of how much you criticize the lack of patches accompanying vulnerability reports, I would find it much worse if Google were to instead not report or disclose the vulnerability at all, even if they did so at the request of developers saying they lacked resources to fix vulnerabilities.

GabrielTFS commented on FFmpeg to Google: Fund us or stop sending bugs thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear

Msurrow · a month ago

If that’s the case why give the OSS project any time to fix at all before public disclosure? They should just publish immediately, no? Warn other users asap.

GabrielTFS · a month ago

Full (immediate) disclosure, where no time is given to anyone to do anything before the vulnerability is publicly disclosed, was historically the default, yes. Coordinated vulnerability disclosure (or "responsible disclosure" as many call it) only exists because the security researchers that practice it believe it is a more effective way of minimizing how much the vulnerability might be exploited before it is fixed.

GabrielTFS commented on FFmpeg to Google: Fund us or stop sending bugs thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear

danaris · a month ago

But FFmpeg does not have the resources to fix these at the speed Google is finding them.

It's just not possible.

So Google is dedicating resources to finding these bugs

and feeding them to bad actors.

Bad actors who might, hypothetically have had the information before, but definitely do once Google publicizes them.

You are talking about an ideal situation; we are talking about a real situation that is happening in the real world right now, wherein the option of Google reports bug > FFmpeg fixes bug simply does not exist at the scale Google is doing it at.

GabrielTFS · a month ago

A solution definitely ought to be found. Google putting up a few millionths of a percent of their revenue or so towards fixing the bugs they find in ffmpeg would be the ideal solution here, certainly. Yet it seems unlikely to actually occur.

I think the far more likely result of all the complaints is that Google simply completely disengages from ffmpeg and stops doing any security work on it. I think that would be quite bad for the security of the project - if Google can trivially find bugs at a high speed such that it overwhelms the ffmpeg developers, I would imagine bad actors can also search for them and find those same vulnerabilities Google is constantly finding, and if they know that those vulnerabilities very much exist, but that Google has simply stopped searching for them upon demand of the ffmpeg project, this would likely give them extremely high motivation to go looking in a place they can be almost certain they'll find unreported/unknown vulnerabilities in. The result would likely be a lot more 0-day attacks involving ffmpeg, which I do not think anyone regards as a good outcome (I would consider "Google publishes a bunch of vulnerabilities ffmpeg hasn't fixed so that everyone knows about them" to be a much preferable outcome, personally)

Now, you might consider that possibility fine - after all, the ffmpeg developers have no obligation to work on the project, and thus to e.g. fix any vulnerabilities in it. But if that's fine, then simply ignoring the reports Google currently makes is presumably also fine, no ?

GabrielTFS commented on You Don't Need Anubis fxgn.dev/blog/anubis/... · Posted by u/flexagoon

agnishom · 2 months ago

lets say that that adding Anubis does the job of adding 10 seconds of extra compute for the bot when it tries to access my website. Will this be enough to deter the bot/scraper?

GabrielTFS · a month ago

Empirical evidence appears to show that it is ¯\_(ツ)_/¯

GabrielTFS commented on You Don't Need Anubis fxgn.dev/blog/anubis/... · Posted by u/flexagoon

yellow_lead · 2 months ago

Yup, I'm against the AI scraping. But personally for me, the equation breaks when I'm getting delays and errors when just visiting a bug tracker.

Sounds like maybe it'll be fixed soon though

GabrielTFS · a month ago

Do you find no one at all being able to access the bug tracker to be preferable to "getting delays and errors" ?

GabrielTFS commented on The fix wasn't easy, or C precedence bites boston.conman.org/2025/10... · Posted by u/ingve

pjmlp · 2 months ago

That style predates Windows.

GabrielTFS · 2 months ago

I would guess a significant portion of people using the style (if not most), did so inspired by Windows, though

GabrielTFS commented on The X.Org Server just got forked (announcing XLibre) github.com/X11Libre/xserv... · Posted by u/throwaway1482

e844dbe8fb · 6 months ago

Because they're paid by Red Hat to make the Linux desktop unusable? We know.

GabrielTFS · 6 months ago

Can someone explain what's the big idea with that ? I keep seeing conspiracy theories about how Red Hat is sabotaging the Linux desktop on purpose, but I would quite honestly like to see an explanation as to *why* Red Hat would do that.