Readit Newsjoatmon-snoo commented on FFmpeg dealing with a security researcher twitter.com/ffmpeg/status... · Posted by u/trollied
It is absolutely Google's security issue if they use an open source project with that license:
https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/COPYING....
and then expect volunteers to provide them fixes.
Google never asked a volunteer for a fix.
This is part of Google’s standard disclosure policy: it gets disclosed within 90 days starting from confirmation+contact.
If ffmpeg didn’t want to fix it, they could’ve just let the CVE get opened.
joatmon-snoo commented on FFmpeg dealing with a security researcher twitter.com/ffmpeg/status... · Posted by u/trollied
You think google uses ffmpeg for youtube?
They do.
joatmon-snoo commented on FFmpeg dealing with a security researcher twitter.com/ffmpeg/status... · Posted by u/trollied
It looks like the FFmpeg account on X is calling out Google for using AI to mass-report CVEs in obscure volunteer maintained codecs, then expecting unpaid maintainers to rush fixes. Large, profitable firms rely on FFmpeg everywhere, but don’t seem to be contributing much to the project.
No, this is the unfortunate reality of “ffmpeg is maintained by volunteers” and “CVE discovered on specific untrusted input”.
Google’s AI system is no different than the oss-fuzz project of yesteryear: it ensures that the underlying bug is concretely reproducible before filing the bug. The 90-day disclosure window is standard disclosure policy and applies equally to hobby projects and Google Chrome.
Most people don't make their spam public, but I did when I ran this bounty program:
https://hackerone.com/paragonie/hacktivity?type=team
The policy was immediate full disclosure, until people decided to flood us with racist memes. Those didn't get published.
Some notable stinkers:
https://hackerone.com/reports/149369
https://hackerone.com/reports/244836
This is great to see, much appreciated for the disclosure!
joatmon-snoo commented on Sampling and structured outputs in LLMs parthsareen.com/blog.html... · Posted by u/SamLeBarbare
You're spot on about the "perfect" JSON bar being unreachable for now. The only consistently reliable method I've seen in the wild is some form of constrained decoding or grammar enforcement—bit brittle, but practical. Sampling will always be fuzzy unless the architecture fundamentally shifts. Anyone claiming zero-validity issues is probably glossing over a ton of downstream QA work.
We’ve had a lot of success implementing schema-aligned parsing in BAML, a DSL that we’ve built to simplify this problem.
We actually don’t like constrained generation as approach - among other issues it limits your ability to use reasoning - and instead the technique we’re using is algorithm-driven error-tolerant output parsing.
joatmon-snoo commented on Magic Lantern Is Back magiclantern.fm/forum/ind... · Posted by u/felipemesquita
For folks who don't know what Magic Lantern is:
> Magic Lantern is a free software add-on that runs from the SD/CF card and adds a host of new features to Canon EOS cameras that weren't included from the factory by Canon.
It also backports new features to old Canon cameras that aren't supported anymore, and is generally just a really impressive feat of both (1) reverse engineering and (2) keeping old hardware relevant and useful.
joatmon-snoo commented on Flattening Rust’s learning curve corrode.dev/blog/flatteni... · Posted by u/birdculture
>For instance, why do you have to call to_string() on a thing that’s already a string?
It's so hard for me to take Rust seriously when I have to find out answers to unintuitive question like this
Strings are like time objects: most people and languages only ever deal with simplified versions of them that skip a lot of edge cases around how they work.
Unfortunately going from most languages to Rust forces you to speedrun this transition.
"We also suggest you make use of the minimumReleaseAge setting present both in yarn and pnpm. By setting this to a high enough value (like 3 days), you can make sure you won't be hit by these vulnerabilities before researchers, package managers, and library maintainers have the chance to wipe the malicious packages."