Hell, I don’t submit help requests without a confident understanding of what’s wrong.

Hi Amazon. My cart, ID xyz123, failed to check out. Your browser javascript seems to be throwing an error on line 173 of “null is not an object”. I think this is because the variable is overwritten in line 124, but only when the number of items AND the total cart price are prime.

Generally, by the time I have my full support request, I have either solved my problem or solved theirs.

I agree that this is a problem.

“Responsible disclosure” is a thing where an organization is given time to fix their code and deploy before the vulnerability is made public. Failing to fix the issue in a reasonable time, especially a timeline that your org has publicly agreed to, will cause reputational harm and is thus an incentive to write good code that is free of vulns and to remediate ones when they are identified.

This breaks down when the “organization” in question is just a few people with some free time who made something so fundamentally awesome that the world depends on it and have never been compensated for their incredible contributions to everyone.

“Responsible disclosure” in this case needs a bit of a redesign when the org is volunteer work instead of a company making profit. There’s no real reputational harm to ffmpeg, since users don’t necessarily know they use it, but the broader community recognizes the risk, and the maintainers feel obligated to fix issues. Additionally, a publicly disclosed vulnerability puts tons of innocent users at risk.

I don’t dislike AI-based code analysis. It can theoretically prevent zero-days when someone malicious else finds an issue first, but running AI tools against that xkcd-tiny-block and expecting that the maintainers have the ability to fit into a billion-dollar-company’s timeline is unreasonable. Google et al. should keep risks or vulnerabilities private when disclosing them to FOSS maintainers instead of holding them to the same standard as a corporation by posting issues to a git repo.

A RCE or similar critical issue in ffmpeg would be a real issue with widespread impact, given how broadly it is used. That suggests that it should be broadly supported. The social contract with LGPL, GPL, and FOSS in general is that code is released ‘as is, with no warranty’. Want to fix a problem, go for it! Only calling out problem just makes you a dick: Google, Amazon, Microsoft, 100’s of others.

As many have already stated: If a grossly profitable business depends on a “tiny” piece of code they aren’t paying for, they have two options: pay for the code (fund maintenance) or make their own. I’d also support a few headlines like “New Google Chrome vulnerability will let hackers steal you children and house!” or “watching this youtube video will set your computer on fire!”

Not just the primaries! My city is pretty purple. We tend to vote republican by a slim majority in larger races (think 51/49), but in the mayor and city council race that just happened, the republican mayor won at like 66/33. Vote every chance or you cede your power to the people who do.

The fix is to start local. Bob’s right: that school PTO experience will be on the candidate’s bio when they run for mayor, even if they are the karen-est karen, and it will sway a few people. That ® mayor has power over a huge amount of how the city is run and many of the things people are locally unhappy with are a direct result of them electing a rich asshole. If we elect Dems locally, we might be able to sway people to our side when the situation gets better under our leadership.

We individuals have the power but it’s got a bit of a lag-time to it. Become informed about how the DNC structure works (best done by joining your local precinct, even if you do nothing more than joining a few meetings). The precincts vote for who runs the county, the counties vote for who runs the state, the states vote for the nation and it’s all based on head-count of participants: a large precinct by population might only have a relative few people engaged and will not have as large an impact when voting in upstream elections. If we’re mad at DNC leadership or the options we have for congress/president, the fix is to ensure people at the precinct-level are the right ones.

This comment is a direct response to anyone saying “both sides”, “dem’s are still corporate shills”, or similar defeatist comments. The “spineless dems” currently have power at the top of the party, but we can fix that. It will take work. It will require time, and that time will be hard to justify with little immediate result. This is the battle we need to fight right now, though. It just needs to be constant and not only complaining online and voting every 2-4 years.

It suggests to me that someone is measuring the length of a middle finger.