Better if nobody buys it.

> That is standard practice.

It's standard practice for commercially-sponsored software, and it doesn't necessarily fit volunteer maintained software. You can't have the same expectations.

Vulnerabilities should be publicly disclosed. Both closed and open source software are scrutinized by the good and the bad people; sitting on vulnerabilities isn't good.

Consumers of closed source software have a pretty reasonable expectation that the creator will fix it in a timely manner. They paid money, and the (generally) the creator shouldn't put the customer in a nasty place because of errors.

Consumers of open source software should have zero expectation that someone else will fix security issues. Individuals should understand this; it's part of the deal for us using software for free. Organizations that are making money off of the work of others should have the opposite of an expectation that any vulns are fixed. If they have or should have any concern about vulnerabilities in open source software, then they need to contribute to fixing the issue somehow. Could be submitting patches, paying a contractor or vendor to submit patches, paying a maintainer to submit patches, or contributing in some other way that betters the project. The contribution they pick needs to work well with the volunteers, because some of the ones I listed would absolutely be rejected by some projects -- but not by others.

The issue is that an org like Google, with its absolute mass of technical and financial resources, went looking for security vulnerabilities in open source software with the pretense of helping. But if Google (or whoever) doesn't finish the job, then they're being a piece of shit to volunteers. The rest of the job is reviewing the vulns by hand and figuring out patches that can be accepted with absolutely minimal friction.

To your point, the beginning of the expectation should be that vulns are disclosed, since otherwise we have known insecure software. The rest of the expectation is that you don't get to pretend to do a nice thing while _knowing_ that you're dumping more work on volunteers that you profit from.

In general, wasting the time of volunteers that you're benefiting from is rude.

Specifically, organizations profiting off of volunteer work and wasting their time makes them an extractive piece of shit.

Stop being a piece of shit, Google.

why are the standards and expectation different for google vs an independent researcher? Just because they are richer, doesn't mean they should be held to a standard that isn't done for an independent researcher.

The OSS maintainer has the responsibility to either fix, or declare they won't fix - both are appropriate actions, and they are free to make this choice. The consumer of OSS should have the right to know what vulns/issues exist in the package, so that they make as informed a decision as they can (such as adding defense in depth for vulns that the maintainers chooses not to fix).

They are different because the independent researchers don't make money off the projects that they investigate.

Google makes money off ffmpeg in general but not this part of the code. They're not getting someone else to write a patch that helps them make money, because google will just disable this codec if it wasn't already disabled in their builds.

Also in general Google does investigate software they don't make money off.

> Also in general Google does investigate software they don't make money off.

An organization of this size might actually have trouble making sure they really don't use code from that project. Or won't do so in the future.

> independent researchers don't make money off the projects that they investigate

but they make money off the reputational increase they earn for having their name attached to the investigation. Unless the investigation and report is anonymous and their name not attached (which, could be true for some researchers), i can say that they're not doing charity.

That's a one-time bonus they get for discovering a bug, not from using the project on production. Google also gets this reward by the way. Therefore it's still imbalanced.

I'm an open source maintainer and I have never been in a situation where someone filing a security issue will withhold indefinitely, nor would I ever think of asking them to withhold forever. If there are some complications maybe we can discuss a delayed disclosure but ffmpeg is just complaining about the whole concept of delayed disclosures which seems really immature to me.

As a user of ffmpeg I would definitely want to know this kind of information. The responsibility the issue filer has is not to the project, but to the public.

You disclose so that users can decide what mitigations to take. If there's a way to mitigate the issue without a fix from the developers the users deserve to know. Whether the developers have any obligation to fix the problem is up to the license of the software, the 90 day concession is to allow those developers who are obligated or just want to issue fixes to do so before details are released.

So no one should file public bug reports for open source software?

This is standard practice for Linux as well.

If you boil it down to the AI companies are making money (subscriptions, etc.) based on content they did not pay to produce, then they are profiting from someone else's hard work.

If you boil it down anyone on this planet can access ChatGPT (and other for profit LLMs) for free to answer any question they might have.

Knowledge is shared among humanity at a rapid speed. Everyone benefits.

It’s mind boggling how anyone could be opposed to that.

Do you use google search for work? Then you are profiting from someone else's hard work!

The difference is that when you search on Google - at least before AI overviews - you end up at the source site.

Also Google respects robots.txt. Every site that Google surfaces chose to be in the index.

Revenue is not profit.

I didn't say it was. I understand that profit = revenue - cost.

I said they're profiting from other people's hard work, a separate concept.

'stealing is fine if you lose money when reselling'

profiting != profit

He either doesn't know who he is, in which case why is he pardoning him, or he does know who he is, in which case he's brazenly lying.

Or he's so dementia ridden that he did know who he was, but no longer, in which case why is he in office?

He says it in the video, because good people recommended it. I can very much believe that this is how it works.

> because good people recommended it.

So doesn’t that mean he should know him now?

NATS is also half-owned by the UK government + they have a golden share.

Why build a synthetic data Wikipedia when Wikipedia exists? Except to push some political point like Grokipedia seems to be for.

Wikipedia’s coverage looks broad, but it still can’t keep up with how fast knowledge grows. And the gaps are even more severe in non-English versions of Wikipedia.

It's good that all of those things are definitely not prone to massive bubbles.

It's an interesting idea, but how would you actually calculate that value? It seems to border on impossible.

Luckily Larry Ellison is 81, so he's got a limited window in which to do too much damage.

Oh I'm sure his son will pick up the torch and keep moving forward with it.

It's not worth anyone's time to meticulously fact check known (and I'm being kind here) 'exaggerator' Sam Altman, because by the time you're done, he's already spread 10 more 'exaggerations'.