On Wed, Apr 8, 2026 at 4:16 PM Martin Cracauer <[email protected]> wrote:
> Ra??l Cuza wrote on Wed, Apr 08, 2026 at 03:18:04PM -0400: > > > > The number of people who can patch vulnerabilities will also grow, if > projects can accept their patches. > > If you can review them with enough throughput. > > I think there is an obvious imbalance between the number of > independents coming up with holes, exploits and patches and people who > are trusted by the project to judge whether those patches are correct, > don't break anything unrelated and are not secretly malicious. > > Martin > -- > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > Martin Cracauer <[email protected]> http://www.cons.org/cracauer/ I am guessing this is a reaction to the proclamation by the company that leaked all their source code through typescript that they now have a tool that finds all the bugs. The world already had insurmountable tech debt: https://arxiv.org/pdf/1908.00827 The AI is making it so fast they have to shift the conversation. So the last market blitz (we can write cobol) has now moved to (we can find all the bugs in ffmpeg). https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/ Great all! three volunteer FFMPEG committers are tired of the bug reports, It is amazing how companies with say 13-200 billion dollars can tell you how their GPUs find all the bugs. The problem is they sell all their services at a loss. On Redit folks are on fire every day about how the ai providers are capping them :)
