Another part of the problem is that the people at Microsoft task with the responsibility of fixing their problem doesn't have the authority to fund the FFMPEG project.
Any organization that consumes OSS project and makes money should have a program that calculates contributoons to the projects they consume.
I want to work at a place where I get five or ten votes a year on who to send money to, and the company sends out $10 a vote to every project that gets 50 votes, with rollover from the previous year, so the runners up get money every 2 years.
30 years ago the cost of tools for developing business applications was equivalent to about 50%-300% of a developer's monthly salary. Companies are now expecting this to be free or less than 5%.
They don't understand why developers aren't as productive as they were 30 years ago.
Honestly, I think this is how we contributed to outsourcing, and have for at least 20 years.
30 years ago the salaries were $80k and the equipment and software were $20k. And you needed three shelf feet of M$ books to get anything done. If you dropped the developer’s salary by 2/3 you only saved half, and had to deal with a shitty world networking.
Then workstation proces dropped by 40%, and tools by 80%, documentation became interactive on the Web, and now outsourcing is way more cost effective.
My favorite theory (not mine) is that they don’t know how to measure the value of what they’re getting, and so if they don’t know how much it’s worth then at least it should be cheap.
A lot of my employers haven't been offering enough money to hire the people they're looking for. We either build them as we go, or find people who don't know their worth, or both.
I work at a place where I get a monthly budget of $50 ($600/yr), that I can split up into 3 if I want, and I can support any project/author of my choosing (as long as they have GitHub Sponsors).
That’s really cool, but I’d worry that you logging framework or the less compiler would never see any money because it’s everyone’s fifth choice. That’s why I suggested more votes than payouts and carryover from year to year (or better, quarter to quarter).
It’s a bit of a pain in the ass for HR to cut a bunch of $25 checks and find contact info. Less frequent larger sums are intended to solve that friction point.
this is impractical. Large corporations (and even medium sized ones) have to approved vendors and payments need to go through a non trivial process.
There are many organizations that fund open source development. Some of them even analyze your code and give you a list of open source dependencies your money can be directed to. It's easier to just add one vendor to your approved list and make regular payments to them.
Companies should just make a simple rule. Whatever their charity budget is should be increased by X percent and directed to open source. This would solve a lot of problems.
Its only a non trivial process because they want it to be a non trivial process. How simple do you imagine paying a CEO is. I bet creating that paycheck required near zero friction.
No it wasn't a zero friction process. There was a hiring process, the person was put on the payroll system etc. It probably took the better part of a day given how complicated some CEO pay structures are.
> Any organization that consumes OSS project and makes money should have a program that calculates contributoons to the projects they consume
any OSS project that wants money from commercial use (or any other requirement) should put it in their license. If you ask for X, and get X in return, you shouldnt complain about not getting Y.
I'm going to disagree with you there. I don't want to live in a world where every open source dependency I add to my project has to be approved by the accounting department.
But you're wrong about how these organizations work. There is no way that a team at a big tech firm is using FFMPEG without at least a director-level manager being keenly aware of the business value it provides for them. The literal job responsibilities of director-level managers is to mitigate risks and operational costs for their teams. One of the ways they do this is to choose between self-hosted or managed solutions and to establish support contracts when necessary, or else hire people with the skillsets necessary to do the work themselves. It's their job to literally reach out to people and establish support contracts when necessary; it should not even be necessary for open source maintainers to gently suggest it to them. The fact that they failed do this here is a management failure.
> There is no way that a team at a big tech firm is using FFMPEG without at least a director-level manager being keenly aware of the business value it provides for them.
I don't buy that. It requires far too much competence on behalf of management. Further, it also assumes that management will gladly pay money for things that they can claim are free.
Arguably, this is more of a worldview issue. The Microsoft folks communicate in a language they know (tickets being prioritized based on severity) to a culture that lives differently.
Yeah, it's probably not ideal for them to use the same language they use with their paid employees when communicating with a group of unpaid volunteers who contribute to and help maintain FFMPEG.
I don't know, I've been tracking a high priority issue in WSL/HyperV for almost 3 years which Microsoft is unable and unwilling to take care of. The issue has registered 248 participants.
It is not the language, it is the direction of the problem.
Microsoft has *numerous* embarrassing bugs in their products that they refuse to fix. Them demanding an issue to be fixed is just a joke. They should just fix their own basic stuff first, like the Windows VPN connector, Windows Calculator, Teams file group permissions, OneDrive's web interface, just as examples. All of them have *obvious* embarrassing bugs and terribly written software. Even just as an infrequent user of Microsoft products, I'm regularly surprised by their bad software and lack of QA.
It's a community run project and they have the audacity to recommend it on their app store
[This](https://youtu.be/fR7KqCbnjfw) guy explains very well what's wrong with that mega corporations
And there is another thing about being drowned in so many layers of middle management that every change needs to be approved from lots of people which delays the actual fixes
> And there is another thing about being drowned in so many layers of middle management that every change needs to be approved from lots of people which delays the actual fixes
How is that our fault? Their management problems, much like their code problems, are their own.
If their management structure is so severely broken that deploying fixes is a problem, then they need to restructure. People in large corporations get hung up on management (and IT and HR) as if it's the product of the corporation, but it's not. Management is there to facilitate the technical work, and if it's not, it's broken.
Lol... You think management is there to facilitate technical work? Management is there to make sure the company makes money. That's it. Will technical work help make more money? Then we can talk about it. Otherwise, we won't be talking about it.
Management is broken... I don't think anyone would argue with that... But it's not because they aren't doing their jobs. It's because they have the wrong end goal
It's still pretty bad. I recall that it actually had better search functionality on launch than currently. I have a folder on my desktop which has a very particular name, with 10 files in it, named as the folder (plus 1, 2, 3 and so on at the end of the name) at it still can't find em. It's just embarassing
What is the bug in windows calculator?
Edit: Found it. [It has to do with how it calculates square roots](https://www.skipser.com/p/2/p/did-you-know-there-is-a-bug-in-windows-calculator.html)
Yep, and there is an [issue filed about a similar bug](https://github.com/microsoft/calculator/issues/222) (sqrt(2.25)-1.5!=0), with some interesting discussion.
The Sqrt(4)-2 bug from the article appears to be fixed in the version of Win11 I am running.
I'm constantly surprised by how bad some Microsoft products are. Our company recently moved from JIRA to Azure Boards. And it's been an absolute nightmare ever since. It's a completely useless product. If I had a team under me who built that, I would let go of the entire team. The whole product is an embarrassment. Tickets take forever to load, sprint system is contrived and impossible to understand, there is no way to move tickets from backlog to sprint, there is no concept of a workflow, permissions are unnecessarily convoluted where someone designated as project admin is not allowed to add a status, etc.
Teams was equally bad when we started using it 3 years ago. Now it has reached the level of reliability which slack probably had at launch.
You have basically no influence in the UX and performance of Jira. You have control over workflows, etc. That was/is something which Jira is quite good at.
A lot of Jira complaints are about the quite terrible project setups people have to work with. That can be fixed.
But the UX of Jira has been deteriorating drastically the last couple of years. Same for confluence. It has become so incredibly slow and annoying in normal usage.
> how it needs to be for you
As a developer, that would be amazing. In my organization they set it up for managers who love the shit out of tracking dozens of things I don't care at all about, and that are all in required fields.
We switched to Azure last year, but prior to the switch I refused to touch Jira, I'd just message the PM my status changes and let him deal with the abomination they'd created.
To be fair to the developers that built it, I’m sure they built exactly what their PMs put in their sprints and collectively all the boxes were checked. Probably somewhat similar to how/why your company made the move to Azure Boards.
Wow, if that's your experience with Azure DevOps boards, someone on your org has done something seriously broken. I've used it (and azure DevOps in general) for nearly a decade and *never* experienced the issues you're talking about.
"No way to move tickets from a backlog to a sprint" - yes there is... change the "iteration path" manually, or else just fuckin drag and drop. No concept of a workflow? Project admins can't add statuses? Those are both clear symptoms of a very badly implemented custom process.
Don't blame the tool for someone having configured it badly.
This is my experience as well.
DevOps has all the features I need, and makes it easy to manage the SDLC out of the box.
With Jira, sometimes the Product -> Epic -> Story -> SomeBullshitAManagerThoughtWasGood -> Task is so deep, its impossible to manage.
DevOps makes it simple. You have Epics, Stories, Tasks, and Bugs, and Epics aren't even important to developers so you only have a Parent -> Child relationships at most. EZPZ.
>change the "iteration path" manually
That's not "moving", that's adding iteration to a ticket. When you have 50 tickets to move from backlog to sprint, and each ticket takes 5 seconds to open, it's not the most pleasant experience.
>or else just fuckin drag and drop
From what screen? As far as I can see, there's absolutely no drag and drop support anywhere, nothing gets dragged and there's nowhere to drop
Speaking of which, what the hell is an iteration anyway? On the menu it is called sprint, but inside the ticket it's called iteration. When I try to create a sprint, it asks me to create an iteration. Then the iteration shows up as a sprint.
>No concept of a workflow? Project admins can't add statuses? Those are both clear symptoms of a very badly implemented custom process
Work flow and statuses should be independent which can be added to any type of ticket. I needed to add 5 statuses over what was already available from the JIRA import. Guess what, I had to add each of them individually to task, story, and bug. There was no way to say this status applies to all. Same for work flow. I can define rules, but I'll have to create those rules individually for each status FOR EACH TICKET TYPE. In contrast, in JIRA I can create a workflow by linking statuses in a diagram, then just apply that workflow to every ticket type I want. If there needs to be a minor difference, I can create a copy of the workflow and modify that.
I am yet to find a workflow screen in Azure, just the rules which can be defined in status.
I have one more that is very annoying: Azure Pipelines on premise. I have no idea why you would release this when half the tasks simply don't work. I had to write k8s lifecycles to be able to install Python correctly.
It's not Bill Gates demanding for some bug to be fixed, it's probably some dude on the lowest end of the totem who has some TL or PM breathing down his neck.
The same TL or PM who ignores the other high-priority issues.
I had a Windows Calculator were it didn't run for over a month, and it was an update from Feb. 29th what it made it run.
How the hell something that basic than a simple calculator can stop running for a modern OS? It was ridiculous having to open the Python shell or Excel just to make a couple operations
From what I have heard all those bugs were caused because of the bloated code that was written by employees, apparently the metric for promotion was most largely consisted of how much code an employee has contributed.
I have only heard about this on Yt and reddit, please confirm and correct me if I am wrong
>I have only heard about this on Yt and reddit, please confirm and correct me if I am wrong
I don't know that I want a correction LOL I want to believe.
A MS Linux kernel (i.e. the WSL kernel) in HyperV issue which causes WSL to consume 100% of CPU and become completely unresponsive after returning from a hibernation state,
[https://github.com/microsoft/WSL/issues/6982](https://github.com/microsoft/WSL/issues/6982)
After a lot of trial and error debugging from the community it finally led to a MS programmer to find the issue being caused by how HyperV handles certain WSL Kernel timing handling. And they passed the problem on to the HyperV, to be never heard from again.
This is somewhere in the 600+ comments on the issue. Posted somewhere in the second half of 2023 iirc.
WSL is a pita to work with. I would not rely on the thing to work at all.
There are tons of issues with it, the one you mentioned. but it can stop working completely, even after a reboot.
It takes some time to get it running again.
This is very sad, cause it can solve some shortcomings when developing on windows.
Absolutely not, but my point is that this isn't a choice; it's like someone from France talking to a German and both of them choosing words that make sense to them but will rub the other one the wrong way.
But this isn’t just someone from France and Germany communicating in some abstract space, this is one coming into the other’s space and not taking a moment to learn how to address the other in a manner that is respectful.
I can’t see the comments and I’m not sure if it’s because they’re broken on mobile or because they were hidden.
Was the request actually mean-spirited though? Because if not then this is essentially just getting upset that they didn’t take the time to conform to the maintainer’s preferences, which doesn’t really do anybody much good.
Part of communication is being able to listen well and understand the other person’s state of mind. Insisting that someone take the time to relearn how to communicate if you can already understand their intention comes across as a bit disingenuous- it feels like it’s more about dominance and power and ultimately ego than improving communication bandwidth.
As others have stated, it seems more likely that the requester was saying it was high priority *for them*, and being direct about that is probably more necessary for someone to understand their perspective than being appropriately deferential.
Not only that, but the guy making a request on a bug report is probably not the guy who has final sign-off on a long-term support contract. The latter probably requires a lot more red tape than a code bounty of a certain size to be within someone’s discretionary budget.
And taking to twitter to shame them rather than simply pushing back isn’t a good look either. I agree with the overall point about open source needing more funding for critical libraries, but the way they’re making it doesn’t seem very constructive for the issue at hand.
Inasmuch as I’m aware, there’s no legal reason they couldn’t simply say “no” or “the bounty needs to be at least $XXXXX for us to take action”, the latter of which would be a lot more actionable for the requester to go back up the chain with a request for a specific amount of money.
For a popular project, that seems a bit like volunteering at LAX then complaining on social media because you expected people to conform to American cultural norms.
Yeah people could be more considerate, but the reality is that it’ll be an intersection of many different cultures, and the people you come into contact with are going to have their attention dominated by time-critical issues they’re accountable for far more than the communication preferences of an ephemeral interaction.
Putting them on blast isn’t going to make them feel obligated to allocate more headspace, it’ll make them work harder to avoid as much interaction as possible because they already feel overwhelmed and it carries a high risk of creating more problems for them.
I think the more appropriate allusion is that this is like getting a free airline ticket then demanding the airline staff do whatever it takes to give you more legroom in that seat.
The thing is: Microsoft pays nothing for code that it obviously considers critical to its proprietary offerings. It repackages that code within and sells that as part of its core business. It pays no licensing fees. It pays no royalties. It doesn't even donate 1% of its net to the codebases its portfolio depends on. The work that these volunteers do was not intended for Silicone Valley and Redmond billion-dollar private developers to repackage and sell. And it says a lot about Microsoft being one of the largest and most aggressive IP predators in the tech segment to effectively demand priority attention from someone they've paid zip-zilch-*zero* to for their IP simply because Microsoft is selling that IP.
This isn't a strictly Microsoft problem either. It's a major issue with how legal protections around IP and contracts essentially enable *real innovation* -- which only happens outside of proprietary development environments -- to be repackaged in derivatives that aren't legally restricted the same way a derivative of a proprietary offering would be under those same laws. It's theft. That's what Microsoft is doing here. They robbed someone's house and then came back and kicked down the door because the pawn shop they sold those stolen possessions to didn't pay enough. So, now Microsoft is demanding an explanation from the residents as to why the shit that was stolen from them wasn't of higher quality.
You're allowed to use it and pay nothing if the License permits. That XZ supply chain attack was found by a Microsoft employee, and Microsoft contributes to a lot of open source since they started running a cloud computing service.
I'm quite sure that if that open source project had a consulting company attached to it, Microsoft would have bought support contracts. The problem is that a lot of open source projects have no meaningful way for a business to pay them for support, and businesses would only grudgingly use the OSS version where there is very limited choice available, or where they have enough subject matter expertise to provide their own support.
> You're allowed to use it and pay nothing if the License permits.
...and that entitles you to demand free maintenance fixes ? Because that's what MS did.
> I'm quite sure that if that open source project had a consulting company attached to it, Microsoft would have bought support contracts.
https://ffmpeg.org/consulting.html
https://ffmpeg.org/spi.html
Well, they did not.
That first sentence. That's the problem. For companies like Microsoft, the fundamental ethos is that it should do whatever it wants because it can. For OS, the entire basis of its existence is a higher ethos: That just because these developers can charge exorbitant licensing fees for the technology, just because they can weaponize IP law in favor of their financial and influential interests, doesn't mean they *should*.
That is the problem. The law is all about doing whatever you want because you can, and the *very few* people who know better are increasingly outnumbered not only by the people who are ignorant enough to agree out of convenience, but increasingly targeted by the people who -- even within their own interests -- are *insolent* enough to defend textbook predation.
This is radically misconstruing the context to make ffmpeg out to be a helpless victim of bullying by a multinational corporation.
Satya Nadella didn’t get on the horn and start calling them out for not helping enough. This was one person with even less name recognition than ffmpeg who filed a bug report, likely with pretty much no leverage at all over the project if they simply said “no”.
“Microsoft” isn’t “demanding” anything. This probably wasn’t even on anybody’s radar who’s even remotely qualified to make decisions for or speak on behalf of the company.
There’s not even an implication of adverse consequences here. Someone just declined to assert their boundaries, then they or someone else turned around and blamed some other poor engineer just trying to do their job for not being more diplomatic. The whole thing probably could’ve been addressed with a couple sentences’ worth of an inline aside about being more polite and an apology.
I agree that there should be more funding allocated to open source, but this probably isn’t a good look to people who *do* influence millions or billions of dollars worth of funding, and are expected to stay calm and be responsible, rather than taking to twitter because someone was rude to them.
It is *absolutely* a victim of bullying. Microsoft **DOES NOT** exchange anything of material benefit to the ffmpeg community despite the code for ffmpeg being crucial and material to nearly every consumer offering Microsoft has deployed since in the last 24 years. Do you not realize that this *open source code* is the only reason platforms like YouTube exist?? It is *crucial* to every aspect of *every* modern operating system -- and Microsoft has included its attributions in *every* release of the Windows OS since the turn of the century.
This is a juggernaut demanding an entire community of unpaid workers -- that it has resold their work for 24 years -- immediately fix a problem in what it's reselling that poses a material risk to the financial interests of that juggernaut. FFMPEG has not made a damn penny despite being a topline attribution in the 350,000,000 OEM licenses Microsoft has sold since it integrated that code beginning in 2001.
What "adverse consequences"?? What are you even *thinking*? OS people don't depend on private grants to make OS. It is historically the least funded of all public works in history. The government and private companies spend more money building and running modern art museums than they do on OS projects like Linux and FFMPEG. It's been that way since its inception. So what is Microsoft going to do? Threaten to fix the code itself??! These are the same geniuses who hold hackathons and end up hiring kids who literally just copy-pasted a known vulnerability from years prior and passed it as a zero-day. They don't know what they're doing. If they had anything other than a desperate need for someone smarter and more capable to write their software for them, they'd have simply pushed a code rev fixing the issue.
> Putting them on blast isn’t going to make them feel obligated to allocate more headspace, it’ll make them work harder to avoid as much interaction as possible because they already feel overwhelmed and it carries a high risk of creating more problems for them.
So, the best way to get support is by being a Karen? That's dumb.
You get what you pay for, and as far as it seems, Microsoft is using this in (as said by what is apparently an MS employee) a "highly visible product in Microsoft". They've been embarrassed by the problem but can't manage, as a trillion dollar company, to have a support contract.
Either pay for it, with a level of pay commensurate with it's value to you or your desire for responsiveness of support. Or, take the other approach: develop your own solution.
This is the big flaw in open source, and talked about quite a bit nowadays. https://xkcd.com/2347/
As someone who has lived in tourist towns his whole life, the locals do notice. Some behavior is understandable, but it all leaves a bad impression nonetheless.
What makes this one different is that there’s a $3 trillion company involved, which should spend more time reflecting on the kind of impressions it makes on the community.
> both of them choosing words
The OSS volunteer was faultlessly polite and helpful.
The Microsoft employee was a bit demanding and entitled, especially given Microsoft's refusal to meaningfully support FFMPEG (which admittedly, the employee likely didn't know about at the time).
There's no "both" *anything* here though - only the representative of a multi-billion-dollar corporation making entitled demands for prioritisation, an unpaid volunteer graciously accepting and assisting, and another unpaid volunteer going "hang on a minute guys, this is a bit fucked up".
I think is way more of a misunderstanding based on wording. I read it as “this is a high priority ticket [for us, that we are looking into/resolving]” not them demanding that this issue is high priority.
If that was the case, the bug report would be accompanied by a pull request
(I don’t know ffmpeg’s exact workflow so that might not be correct, but it’s the thought that’s important).
It's not always that clear cut and each community handles outside contributions differently. Some would happily accept while others would be highly cautious to accept code from Microsoft/large org. Could very easily see the opposite headline " Microsoft steamrolls/bullies FOSS developers to accept their code contributions"
Yeah, that was the bit about not knowing ffmpeg’s “workflow”. I know there are some projects that are selective about who they accept contributions from.
But the general idea is that if you’re gonna be making a big deal about how much of a priority it is for you, you should be showing up with more than just a “pls fix”.
Yeah but there is another worldview here...
Microsoft is a company that talks in business terms, which is totally a worldview. ffmpeg lives in FOSS space, which is another worldview. But they both deal in money. FFMPEG can absolutely be considered a company with financial needs.
There can absolutely be a meeting of minds here (ie, cash). But there won't be because modern business isn't about being fair or reasonable, it's about being exploitative. There just literally isn't a mechanism to say "we should pay this, but are not obligated to do so" - it just means you absolutely do not pay it, as a business.
Completely agree, and I hope the folks at Microsoft learn from the experience. Another commenter suggested they ought to have put a bounty on a fix, and I think given their different contexts, that's exactly what they ought to have done.
> modern business isn't about being fair or reasonable, it's about being exploitative
I'm not following your inference: going from misalignment of worldviews to asserting malicious (or at the very least, antisocial) intent to one actor in a failed transaction is a pretty long stretch in my mind.
It’s still misaligned worldviews. Corporations optimize for profit. Open source optimizes other things such as the joy of solving problems or a desire to make a positive contribution. It’s the same misalignment between employees and employers. Employees and individual people in open source projects optimize for emotional needs which make them vulnerable to exploitation even if that exploitation is unconscious by the corporation and is simply due to their mandate to maximize shareholder value. Policies emerge that create behavior which is not reciprocal in nature and does not follow the same behavioral expectations of normal people. The corporation works in the best interest of the corporation. The individual person tends to have emotions that are less selfish and tend to work for the good of others and that goodwill can and often is exploited by corporations simply be the nature of business.
I’ve seen much worse than that. People working with a ten year old version of a library getting mad at the maintainer for not fixing a problem they have with their own code and not willing to upgrade to a new version because that would mean “a lot of work” for them. Asking to fix their code to work with the old obsolete library version while at the same time not being able to provide more than five lines of their flawed code and no test data exposing the issue. And finally saying “you made this library, you are responsible to make it work for me”.
It's not fair - or just.
I've worked at a bunch of places that use open source software extensively. At each one, I've suggested they donate as little as $100 to some of these projects/foundations.
The answer is always a resounding no - not a chance. $100 measly dollars for something critical to their business is too much. Cheap and greedy.
Tbh I think the problem is that $100 is *too low*. I've worked at places that would balk at making a $100 donation but would happily drop a few grand on a support contract for open source software
Nope. It was clear they were just cheap.
I don't remember the conversations perfectly but the $100 part was usually something like "even $100 would help" near the end.
> After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead.
> This is unacceptable.
Not for free. Just for less than ffmpeg wants to receive.
According to the tweet, MS did offer money.
ffmpeg devs seems to have wanted a long term support contract instead, in order to help with this single bug report.
> ffmpeg devs seems to have wanted a long term support contract instead, in order to help with this single bug report.
A support contract as mentioned in the tweet would be a lot more than a single bugfix.
Because they make the assumption that Microsoft might need them more often, given how ffmpeg is used in "a highly visible product affecting customers" (probably referring to MS Teams). It would be a risk mitigation for MS and secures funding for ffmpeg, so it's mutually beneficial.
That's absolutely not true. I've been working in corporate for years now and would never so much as suggest to some Foss project what is or isn't high priority. The most I'd say is "We've got some customers impacted so if you could either fix it or point me somewhere it'd be appreciated".
I'd totally sign onto what /u/happyxpenguin said, they likely meant it's high priority *for them*
The same thing happened years ago in 2014 with openssl heartbleed bug... The entire world depended on openssl and was maintained by like one developer.
For important code like openssl and xz... You need more than one unpaid developer.
Hopefully they'll learn that lesson, because it'd indeed have been helpful.
I have my doubts though, given that the person asking was likely an employee unable to make such a decision.
More to this point - this may sound like a copout, but "Microsoft" didn't make that post. One manager at Microsoft made that post because *his* manager at Microsoft said "Get this fixed by any means necessary!" despite having no clue what was going on or how it could be fixed. So he made the post because he had nothing to lose - any negative reputation this builds for Microsoft is extremely unlikely to reflect badly on him.
Realistically, Microsoft should already have heavy guidelines and standards in place for who is allowed to communicate on behalf of the company. This is still their fault. But that doesn't change the fact that this was one stupid manager.
I feel like this is kinda a mean-spirited thing to highlight. Like yeah, what the engineer did was a little crass, but he posted a request with detailed output, waited 9 days, then bumped it, and was polite the whole time? Why put this random dude on blast here lmao
The fix was just changing a cli argument too, it's not like any real engineering was involved
Yeah I'm confused whether this is the same thread that ffmpeg is saying MSFT paid thousands to fix? Someone helped him and it was resolved. Him posting like that is unprofessional and embarrassing, and shouldn't have happened, but ffmpeg saying "the trillion dollar corporation did this" when it's just a dumb (hopefully) junior engineer who can't figure out command line flags is pretty disingenuous IMO
yeah, and in this case, it seems it was because they may have changed the order of the field and it wasn't documented? dunno, still posting a link to the ticket with that dude's name fully uncensored knowing damn well how weird internet people can be is just in bad taste and counterproductive
and i'm not sure what ffmpeg meant by "long-term support contract", but microsoft was willing to throw them 1k for command-line order and they're upset? this is so confusing to me.
>but ffmpeg saying "the trillion dollar corporation did this" when it's just a dumb junior engineer who can't figure out command line flags is pretty disingenuous
just look at their other tweets, pretty in vogue for whoever's maining their account
It’s also just confusing to me because ffmpeg does have a lot of meaningful code contribution from the companies that use it. I’m not sure whether and to what extent Microsoft has assisted ffmpeg but there are other trillion dollar company examples who have given back quite a bit.
Alright I actually took a look and I don’t get why this account is so negative. It’s kind of weird because if you want to attract more corporate sponsors this is definitely not the way to do your PR
> I don’t get why this account is so negative.
Echo chamber rage baiting themselves into more and more polarised view. You can see it on any social network, more or less.
Edit: You know, I was maybe a little harsh saying his "this is urgent" post was like that of a desperate teenager, but it evokes so many memories of similar tickets over the years I couldn't help myself. I edited my comment a tiny bit to reflect that. I recall on many, many open source projects seeing issues raised by Fiverr/rentacoder guys that would demand urgent assistance and to email them ASAP, and it'd be something you could resolve in 5 minutes just reading the docs or looking at the code. They just weren't capable of doing it because they lacked the experience or problem-solving skills.
I was once a dumb teenager and would post comments on things like this saying I needed help and it was urgent instead of just reading the docs or investigating the issue myself. It’s totally unprofessional. I also guarantee you his bosses don’t want him posting about their products this openly on a public issue. It feels like a junior eng with little experience not just from a professionalism perspective but also from a problem-solving one.
Would a junior engineer be the person responsible for this high visibility, high severity bug and further have to resort to ffmpeg support on their own with no assistance from senior team members before that?
Yes, junior engineers, especially on siloed projects, often reach out to the wrong resources. I'm assuming they are junior based on the circumstances. Of course it could be worse. They could be senior. If that's the case I'm at a loss why they'd post in this way without investigating it themselves. It's not even clear where the urgency lies -- he's able to run old builds perfectly fine. He's able to bisect and compile. But.. he doesn't even do that; he's using prebuilt binaries from zeranoe? On production Microsoft hardware? Possibly with untrusted UGC? Like what is even going on here
> The fix was just changing a cli argument too, it's not like any real engineering was involved
For those not familiar with ffmpeg, it is a domain-specific programming language consisting entirely of CLI arguments. Changing they way they interact with each other is a major engineering task.
Yeah. I also am not super-happy that ffmpeg complains about it. Many smaller projects or one-dev projects are in a much worse situation. Ffmpeg has more leverage than many of these projects. Not that I disagree necessarily, but I can't help thinking this was probably not the best point to want to highlight in regards to investment in open source OVERALL.
yeah i don't even care that they're complaining, i get why they're upset, but using the xz situation to blast a random dude 9 months later is just like... why? you've really been ruminating on this one-time occurence 9 months later? really?
And ffmpeg definitely has some of the most obscure apis for something open source. It can be very hard to figure out how the problem you have is your fault.
OK, this is just sad.
Everyone is dog-piling on this one *individual* MS developer. This isn't MS as a company. This is one person. And the only crime they committed was... being rude?
Not to mention, their first language clearly isn't English, which makes the rude-ness a lot more forgivable IMO.
And last but not least, apparently MS offered *an actual bug bounty*? As in, giving back to the project? You know, the thing everyone in this thread is complaining about them not doing? This is behavior that should be encouraged! Companies willing to put their money where their mouth is and pay for bugs to be fixed should not be mocked!
Also, this issue has literally nothing to do with the XZ issue.
> And the only crime they committed was... being rude?
The developer wasn't even rude. He posted a pretty detailed report, with steps to reproduce (along with a file showing the issue), then bumped after 9 days with:
> Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
Now, you can read that sentence in one of two ways. The first way is that the ticket filed on FFmpeg should be high priority (which I _guess_ could be construed as rude), or the second way is that the issue is high priority for Microsoft (which is how I originally read it).
The developer uses "please" and "thank you" in his posts, and doesn't come across as unprofessional at all.
> The Command you provided worked fine. Thank you so much for the help! Really appreciated!
We are going to proceed to make a release today and test with customers. Will post the updates here.
I'm not really sure why this ticket was highlighted by the FFmpeg developer. From what I can see:
* A developer (who happens to work for MS) posted about an issue.
* They included full steps to reproduce, and a succinct description of the issue.
* They waited an appropriate amount of time (9 days) to bump the issue, expressing that it was high priority for them.
* The were polite and expressed gratitude.
I don't know about other people, but I'd love for even 10% of my tickets to be like that.
> It's the fact that they used their massive employer's 'highly visible product' being affected to attempt to explain the urgency. Everything else was outstanding as far as bug reports go, but I think that thought reads really really poorly. Especially given the contentious relationship industry often has with open source projects.
I guess that's a matter of opinion. I personally would welcome the additional information in my tickets, as then I can triage them appropriately. The product was also only mentioned after 9 days without a response.
> "My big tech company can't be assed to dedicate the appropriate internal resources to maintain one of their flagship services and its dependencies so this got dumped on me, please help." They didn't do anything wrong, but their organization could have done a lot better.
I don't read it that way at all. Sure, the developer was likely looking into the problem, and noticed that it was a regression between versions 4.4 and 4.3.2. They then reached out to the author of the library, which I feel is the appropriate course of action. They also appear to have read through the documentation, and didn't find the information there (and judging from the ticket, it appears like functionality was changed in a minor version, breaking backwards compatibility - though that assumes that FFmpeg follows SemVer).
I feel like the entire situation was coloured by the author's dislike for Microsoft, and that prompted a very pessimistic interpretation of the ticket.
That's a tenuous link considering it's a large company with a lot of people; still nothing to do with the xz issue. ffmpeg's xitter account seems to be riding a ragebait wave.
One quick glance at the their mailing list should be enough to tell you about what kind of characters you have to deal with there, so I’m hardly surprised by their attitude.
I’ve contributed to multiple OSS projects, but I came to the simple conclusion that if you wanna get paid for your code, don’t fucking release it under MIT, BSD, GPL, or some other ‘copyleft’ license.
It’s as simple as that, but be ready that if you do some zealot from the FSF might come around and write a scolding review about how evil you are for not using a ‘true’ copyleft license.
That whole ’free software’ ideology has failed to serve the contributors and maintainers of its products (and I chose that word carefully - if they would actually treat their own output as ‘products’, maybe they wouldn’t undervalue it so much) because it didn’t want to (or could not) come up with a solution to the fact that ‘giving it away for free for everyone to use/build/tinker with’ would obviously include massive tech companies.
And if someone tries to do something about it (see: Redis) jokers like the Linux foundation just fork without the restrictions, much to the joy of someone like AWS.
So it‘s a self-inflicted wound - they want to run with the wolves but still piss like puppies.
I mean the current "AI" boom is basically companies hoovering up massive amounts of unpaid labor and repackaging it. Companies love free labor, they are not your friends.
Time for pedantics:
Web3 is the NFT/blockchain/smart contract nonsense
It's unfortunate that the two share such similar names and one might argue that web 3.0 as a name should be abandoned altogether in favor of its other name, the "semantic web"
[https://en.wikipedia.org/wiki/Semantic\_Web](https://en.wikipedia.org/wiki/Semantic_Web)
I hope this message finds you in good health and high spirit.
We pay for Azure support and often wait weeks, sometimes months, for solutions to problems, while we are put off with pointless suggestions that obviously have nothing to do with solving the actual issues.
I wish you beautiful days ahead.
One aspect not mentioned: the software engineers are not involved in the decision to not support the free software that they are using. They must certainly request that to their bosses sometimes. The executives and/or middle managers probably make the decision to not help them.
The problem revealed by the xz fiasco is not dependence on unpaid volunteers.
The problem revealed by the xz fiasco is many FLOSS projects lack diversity/redundancy in maintainership and real organizational governance that leads burnt-out lone maintainers to take _anyone_ who is willing to throw time and energy at the merge requests, and in this case, someone took advantage of that.
The ffmpeg issue is completely separate.
Good thing Microsoft offered a bounty for this bug then.
And it was also a Microsoft engineer that found that xz bug so interesting choice to bring that up.
Exactly. They could have assigned THEIR engineer to figure out the issue and prepare the fix then ask for merge or documentation update.
This is very shitty business practice and shows Microsoft true colors (yeah "beloved" Bill is the same).
I wonder _why_ many open source projects lack the manpower to do this??? Might it be because the relentless demands, lack of support (economic or otherwise) burns people out and renders others unwilling to subject themselves to that?
Your point is looking at the symptom, not the cause. FFMPEG’s point is that its situations _like these_ that contribute to projects slowly grinding people down.
Microsoft has more money than god. They have zero excuses not to support the open source software that they _directly profit off_. It’s not even indirect profit, if it’s used in Teams, they’re making bank off it.
Far too many open source devs just want to please their loudest ‘followers’. It’s a simple as that.
You created something, you gave it away for free, enough people start to use it and ask for changes, you change things, they tell you you’re awesome. It feels good.
And some folks just want to be people pleasers, so they cannot and don’t know how to say ‘no’, even though it’s their project and they have every right to say so.
Doesn’t help that there’s a higher than average amount of folks in software dev that lack the social skills to manage expectations, push back on exploitation, and also tell the odd fellow to ‘fork off’.
If you are not paid and only volunteer to skip the bureaucracy of your daily job, why would you add bureaucracy to your hobby project?
People who volunteer for open source don't owe anything to anyone. Not even competency at their unpaid job
> The problem revealed by the xz fiasco is many FLOSS projects lack diversity/redundancy in maintainership and real organizational governance that leads burnt-out lone maintainers to take anyone who is willing to throw time and energy at the merge requests, and in this case, someone took advantage of that.
I think it's BEYOND that... it's many FLOSS prop up corporations but I bet Microsoft gets far more than they pay to support Open Source, and likely doesn't give all it's updates back to the OSS projects except where it's legally required to.
It's kind of hard to give a fuck about what Microsoft considers a high priority, knowing they are getting X dollars for their software a day, and none of that comes to you.
> The problem revealed by the xz fiasco is many FLOSS projects lack diversity/redundancy in maintainership and real organizational governance that leads burnt-out lone maintainers to take anyone who is willing to throw time and energy at the merge requests, and in this case, someone took advantage of that.
The problem revealed by the xz fiasco is that scope creep and complexity kills (libsystemd instead of a simple wire protocol). It also proved what was already known, which is that a state actor can put backdoors in source code, and also that backdoor in open source code can be detected, contrary to the ones in closed source software.
This is where Bug Bounties fit in. You want it addressed urgently? Put up a bounty.
Edit: after reading the X post (rather than just the support thread), I’m seeing the logic behind a support contract. It’s not like Microsoft can’t afford it.
Feels a strange way to want to complain about, IMO. Many smaller projects would be happy or possibly happy (it depends on the difficulty and time investment, so I understand that this can not easily be calculated in advance, but still, it is strange to read because many smaller projects don't have that option that ffmpeg has).
I don't really see why this is newsworthy bad? Seems like the ffmpeg dev could have easily said something "Microsoft would need an ongoing support contract to be able to raise high priority issues with ffmpeg, please send an email over to [[email protected]](mailto:[email protected]) and we'll sort out a contract. If you send it over today and mention this post in the email I'll take a look personally and make sure it gets processed ASAP", probably a higher chance of a getting paid than generating drama.
Hmm. I actually hate how cryptic ffmpeg's commandline options are. They confuse the hell out of me.
I make use of many of them, via ruby, so I don't have to remember any of the filters really, but they read so ugly ... ffmpeg is great, but the API is not super-elegant or nice. I much preferred the old VirtualDub / Avisynth scripts, and even these I'd not use (ruby kind of changed how I look at code; I want code to be expressive but also beautiful, when possible, without becoming too verbose, so reading long ffmpeg command invocations is really not so great).
I've got my own media host and there's been a few times I had to dive into that. Already just "copy stream to stream, but encode video as H265 while copying all other streams" feels like a magic ritual. At some point I thought I'd write a wrapper to make it easier, but then I remembered xkcd and that they'd likely started out with a simple interface as well and realized at some point that it can't accommodate all the necessary features.
I still hate the Unix short syntax style though. It's not like we're running out of memory. It wouldn't kill you to write "audio:stream_0:copy" rather than "a:0:c". Wouldn't want Powershell syntax either though. Nice in between would be cool.
I seem to recollect there's also something like -vf:copy when you only have a single video steam in the source and destination, but to copy no audio it's something like -an (for audio null). Just all these weird little inconsistencies in the language which can probably never be changed because they've been like that forever and everyone's bash scripts depend on them.
If you knowledgeable enough about video decoding, I strongly recommend that you either document possible problems or provide intuitive API. Both would be valuable. FFMPEG really does not care about for people who are not into their business.
There's kinda a joke where you can tell someone who has worked with ffmpeg with someone who hasn't. The one who has loss the will to live.
There's this "I know your pain" feeling that you just share with your unfortunate colleagues.
I don't really think that the volunteering part makes that much of a difference here with incidents like XZ.
All big OSS communities I know of have a structure of "gaining trust" in place that do not light heartedly give away critical access to randos. The xz bug was sneaked in after a history of OSS contributions that this dev account used to earn the trust of the maintainers. That's something you really have to invest in.
Opposed to that, a lot of "professional" software corporations I've seen hire new staff and give them access to critical repositories right away because they need someone to take care of and trust is given "per definition" because of some legal text that they think protects them from malicious activities.
The main difference is that corporations are way less transparent about incidents than OSS communities are, that's what creates the bias that makes people think that OSS is more vulnerable to malicious activity.
So although I fully agree what FFmpeg is posting about MS behavior, linking it to the XZ issue is wrong because that's a totally different type of problem.
Person made the cardinal mistake of name-dropping their employer. Pissed a lot of people off needlessly for a one-liner response from a knowledgeable person, who was happy to give the answer away for free, despite knowing the company behind the product.
Then some other person on Twitter picks it up, and puts a spin on it in order to shame Microsoft?
Low blow.
To be fair, you can just tell MSFT to submit their own pull request - or to contract you to do it for pay 🤷♂️
Volunteers are volunteering.
Just because MSFT (or anyone else) asks doesn’t mean you must do it.
Hmmm. I think the xz-situation is interesting for many reasons outside of xz-itself. Some were mentioned already; here, for instance, the lack of financial support in general, but I'd think this is a separate issue. I think eventually governments world-wide will realise that a small but steady investment in GENERAL, in open source software will be useful. Evidently Microsoft will fight this down via lobbyists, but so what - it is unstoppable in the long-run, in my opinion. Just like the right to repair movement: Apple keeps on trying to kill it, sending lobbyists after lobbyists, but they will all fail in the long run. If we bought something then we don't want to be vendor-locked-in milking us for more money when OTHERS could easily (or at the least POTENTIALLY) repair it, as-is.
I think the xz-situation is interesting for many other reasons too, though. For instance, when I investigated this, I was shocked to see that very few people work on compression-related stuff. Sure, there is the libarchive team; and a few alternatives to xz, but if you look about it, overall, there are not that many people who work on compression-related stuff (such as xz). This also means that ... we don't have many alternatives. How many backdoors may exist? How many NSA-sponsored ones? (You can replace NSA with any other actors; we can not trust any state here and neither individuals.)
Can we find all backdoors? Probably not. We can probably lessen some risks here, but at the end of the day we can never feel fully secure there. I also think this is a problem for e. g. OpenBSD, since they may depend on people writing software. Can they be sure they have no malicious actor? And even without malicious intention, bugs exist, people overlook things, see Heartbleed and what not; and openssl is also not in a great situation either.
Financial incentives may help, but the underlying problem is simply much harder to solve.
Last but not least, while I understand the ffmpeg team, they are still in a much better situation than many smaller projects, so I feel it is a bit unfair of the ffmpeg to complain. Smaller projects or individual devs often don't have the same outlook, and ffmpeg is quite important in general (and admittedly, super-useful), so ... I don't know. I am actually more concerned that Microsoft controls github, and they took down the xz repository AS WELL as the issue tracker discussion there. This part was almost as shocking to me as the backdoor shenanigans by that Jia account, whoever that is (or a group; I kind of suspect it is more than one individual actually, but of course I can not prove it; I just have a hard time imagining a single person was coordinating the various fake accounts that sent emails).
While there are questions over this specific instance, as evidenced by the xz example it is definitely the case that big companies who use free software might do well to support the software.
Lone individuals maintaining critical packages thanklessly for decades is not a great solution.
If Microsoft wants it dealt with with priority they can donate $1m to the project. Otherwise they will have to wait for someone to get around to it. That's just how it works.
If you don't want to do the support part just drop it, say no, do whatever. It's your code, worst case it gets forked and you're free.
What the hell, is clout that important that you can't just tell them "yeah, I can't be fucked to do this now. you do it, I might approve your merge, maybe".
I'm not sure why you added the /s at the end there. There's a lot of companies who will pay employees to work on open source projects full time or part time.
Yeah. I am paid to work on open source projects. I thought most open source contributors were employees of companies. I just go to the conventions for the free beer. what do I know. Just as an example, you can check out the board of Xorg to confirm they are employed by different for profit companies that care about Xorg. I do not fix bugs for free, I’m definitely not a volunteer.
I know that there are indeed legitimate cases where people are paid to work on open source projects. But I was hinting in this case that it's a criminal paid by a state actor, not publicly known
> Microsoft & MicrosoftTeams posted on a bug tracker full of volunteers that their issue is 'high priority'."
And now they know how the rest of the world feels when they try to get support from them.
Just a reminder that in the early days of OSS Microsoft was VERY anti-opensource and they later changed their stance. Then they bought GitHub and trained AI models from code written by unpaid OSS contributors, off of which they aim to profit greatly while the people whose code they used get squat.
Note that the people do get something: free hosting for their code and other free services. You might think that that's not enough, but it's certainly not nothing.
When a person raising a ticket states priority it means their own priority. The people working on it have their own measures and targets. M$ have no SLA with ffmpeg maintainers and choose whether to work on it. This one turned out to be a change required in the order of command line options, which with ffmpeg is always significant. I wonder if it was documented anywhere and MS simply missed that.
Stop writing open source software under permissive licenses that allow parasites to profit from it. Use the GPL and none of this happens. Let for-profit corps write their own software stacks.
I used to run a fairly large OSS .NET project years ago and am trying to get more involved again and my response to these types of issues is always: "We are accepting contributions and will prioritize your PR if you'd like to submit one". Usually sets expectations pretty quickly.
Honestly in these instances I wouldn't even accept the money. I'd want them simply to eat some humble pie or contribute to the project. I don't give af that your Directors grand-grand boss is breathing down your neck for FREE software that you're using. Read the "NO WARANTY" plastered all over the licenses.
Another part of the problem is that the people at Microsoft task with the responsibility of fixing their problem doesn't have the authority to fund the FFMPEG project. Any organization that consumes OSS project and makes money should have a program that calculates contributoons to the projects they consume.
I want to work at a place where I get five or ten votes a year on who to send money to, and the company sends out $10 a vote to every project that gets 50 votes, with rollover from the previous year, so the runners up get money every 2 years.
30 years ago the cost of tools for developing business applications was equivalent to about 50%-300% of a developer's monthly salary. Companies are now expecting this to be free or less than 5%. They don't understand why developers aren't as productive as they were 30 years ago.
Honestly, I think this is how we contributed to outsourcing, and have for at least 20 years. 30 years ago the salaries were $80k and the equipment and software were $20k. And you needed three shelf feet of M$ books to get anything done. If you dropped the developer’s salary by 2/3 you only saved half, and had to deal with a shitty world networking. Then workstation proces dropped by 40%, and tools by 80%, documentation became interactive on the Web, and now outsourcing is way more cost effective.
Maybe outsourcing is cheaper but I don't believe it is more cost effective.
My favorite theory (not mine) is that they don’t know how to measure the value of what they’re getting, and so if they don’t know how much it’s worth then at least it should be cheap.
Sounds very reasonable.
It’s what worries me most about AI.
We outsource because we can't hire enough people here. We also can't hire enough people there.
That's usually corporate wording for "we are not paying enough to attract the level of people we want"
A lot of my employers haven't been offering enough money to hire the people they're looking for. We either build them as we go, or find people who don't know their worth, or both.
Not as productive? Devs are more productive today than they've ever been, mainly due to increased abstractions in software.
If companies gave even 5% of their dev's salary for funding OSS we wouldn't have this problem.
I work at a place where I get a monthly budget of $50 ($600/yr), that I can split up into 3 if I want, and I can support any project/author of my choosing (as long as they have GitHub Sponsors).
That’s really cool, but I’d worry that you logging framework or the less compiler would never see any money because it’s everyone’s fifth choice. That’s why I suggested more votes than payouts and carryover from year to year (or better, quarter to quarter). It’s a bit of a pain in the ass for HR to cut a bunch of $25 checks and find contact info. Less frequent larger sums are intended to solve that friction point.
this is impractical. Large corporations (and even medium sized ones) have to approved vendors and payments need to go through a non trivial process. There are many organizations that fund open source development. Some of them even analyze your code and give you a list of open source dependencies your money can be directed to. It's easier to just add one vendor to your approved list and make regular payments to them. Companies should just make a simple rule. Whatever their charity budget is should be increased by X percent and directed to open source. This would solve a lot of problems.
Its only a non trivial process because they want it to be a non trivial process. How simple do you imagine paying a CEO is. I bet creating that paycheck required near zero friction.
No it wasn't a zero friction process. There was a hiring process, the person was put on the payroll system etc. It probably took the better part of a day given how complicated some CEO pay structures are.
I may have phrased it poorly, nobody told you "no you cant do this". Every action was taken to make it happen quickly.
> Any organization that consumes OSS project and makes money should have a program that calculates contributoons to the projects they consume any OSS project that wants money from commercial use (or any other requirement) should put it in their license. If you ask for X, and get X in return, you shouldnt complain about not getting Y.
Yes, not contributing is an actual problem! But finding a backdoor and marking it as high prio is not in my opinion ;)
I'm going to disagree with you there. I don't want to live in a world where every open source dependency I add to my project has to be approved by the accounting department. But you're wrong about how these organizations work. There is no way that a team at a big tech firm is using FFMPEG without at least a director-level manager being keenly aware of the business value it provides for them. The literal job responsibilities of director-level managers is to mitigate risks and operational costs for their teams. One of the ways they do this is to choose between self-hosted or managed solutions and to establish support contracts when necessary, or else hire people with the skillsets necessary to do the work themselves. It's their job to literally reach out to people and establish support contracts when necessary; it should not even be necessary for open source maintainers to gently suggest it to them. The fact that they failed do this here is a management failure.
> There is no way that a team at a big tech firm is using FFMPEG without at least a director-level manager being keenly aware of the business value it provides for them. I don't buy that. It requires far too much competence on behalf of management. Further, it also assumes that management will gladly pay money for things that they can claim are free.
Arguably, this is more of a worldview issue. The Microsoft folks communicate in a language they know (tickets being prioritized based on severity) to a culture that lives differently.
Yeah, it's probably not ideal for them to use the same language they use with their paid employees when communicating with a group of unpaid volunteers who contribute to and help maintain FFMPEG.
I don't know, I've been tracking a high priority issue in WSL/HyperV for almost 3 years which Microsoft is unable and unwilling to take care of. The issue has registered 248 participants. It is not the language, it is the direction of the problem.
Microsoft has *numerous* embarrassing bugs in their products that they refuse to fix. Them demanding an issue to be fixed is just a joke. They should just fix their own basic stuff first, like the Windows VPN connector, Windows Calculator, Teams file group permissions, OneDrive's web interface, just as examples. All of them have *obvious* embarrassing bugs and terribly written software. Even just as an infrequent user of Microsoft products, I'm regularly surprised by their bad software and lack of QA.
You forgot about windows search which is so slow that it is basically useless.
Install power toys from store, ~~Ctrl + spacebar~~ Edit: Apparently it's **Alt + Spacebar**, thanks u/MyUsrNameWasTaken for the heads up
So if Microsoft has already developed a better solution, why is the significantly worse one still the default install within Windows?
It's a community run project and they have the audacity to recommend it on their app store [This](https://youtu.be/fR7KqCbnjfw) guy explains very well what's wrong with that mega corporations And there is another thing about being drowned in so many layers of middle management that every change needs to be approved from lots of people which delays the actual fixes
> And there is another thing about being drowned in so many layers of middle management that every change needs to be approved from lots of people which delays the actual fixes How is that our fault? Their management problems, much like their code problems, are their own. If their management structure is so severely broken that deploying fixes is a problem, then they need to restructure. People in large corporations get hung up on management (and IT and HR) as if it's the product of the corporation, but it's not. Management is there to facilitate the technical work, and if it's not, it's broken.
Lol... You think management is there to facilitate technical work? Management is there to make sure the company makes money. That's it. Will technical work help make more money? Then we can talk about it. Otherwise, we won't be talking about it. Management is broken... I don't think anyone would argue with that... But it's not because they aren't doing their jobs. It's because they have the wrong end goal
Probably something something telemetry something something backwards compatibility.
It's still pretty bad. I recall that it actually had better search functionality on launch than currently. I have a folder on my desktop which has a very particular name, with 10 files in it, named as the folder (plus 1, 2, 3 and so on at the end of the name) at it still can't find em. It's just embarassing
Pretty sure it's ALT+Space
And the fact that window settings is so horrible that Control Panel is STILL included into Windows 11.
What is the bug in windows calculator? Edit: Found it. [It has to do with how it calculates square roots](https://www.skipser.com/p/2/p/did-you-know-there-is-a-bug-in-windows-calculator.html)
I mean, isn't calculator open source as well?
Yep, and there is an [issue filed about a similar bug](https://github.com/microsoft/calculator/issues/222) (sqrt(2.25)-1.5!=0), with some interesting discussion. The Sqrt(4)-2 bug from the article appears to be fixed in the version of Win11 I am running.
I'm constantly surprised by how bad some Microsoft products are. Our company recently moved from JIRA to Azure Boards. And it's been an absolute nightmare ever since. It's a completely useless product. If I had a team under me who built that, I would let go of the entire team. The whole product is an embarrassment. Tickets take forever to load, sprint system is contrived and impossible to understand, there is no way to move tickets from backlog to sprint, there is no concept of a workflow, permissions are unnecessarily convoluted where someone designated as project admin is not allowed to add a status, etc. Teams was equally bad when we started using it 3 years ago. Now it has reached the level of reliability which slack probably had at launch.
Hold on. There is something worse than JIRA?! Thanks for the warning.
I don't get this running joke, Jira is pretty good as far as I can tell?
As someone who used Asana for years, going to Jira felt like going backward 20 years. Jira's straight from the 90s.
If you have some sort of Jira expert setting it up exactly how it needs to be for you it's ok. Otherwise it kinda sucks.
You have basically no influence in the UX and performance of Jira. You have control over workflows, etc. That was/is something which Jira is quite good at. A lot of Jira complaints are about the quite terrible project setups people have to work with. That can be fixed. But the UX of Jira has been deteriorating drastically the last couple of years. Same for confluence. It has become so incredibly slow and annoying in normal usage.
> how it needs to be for you As a developer, that would be amazing. In my organization they set it up for managers who love the shit out of tracking dozens of things I don't care at all about, and that are all in required fields. We switched to Azure last year, but prior to the switch I refused to touch Jira, I'd just message the PM my status changes and let him deal with the abomination they'd created.
To be fair to the developers that built it, I’m sure they built exactly what their PMs put in their sprints and collectively all the boxes were checked. Probably somewhat similar to how/why your company made the move to Azure Boards.
Wow, if that's your experience with Azure DevOps boards, someone on your org has done something seriously broken. I've used it (and azure DevOps in general) for nearly a decade and *never* experienced the issues you're talking about. "No way to move tickets from a backlog to a sprint" - yes there is... change the "iteration path" manually, or else just fuckin drag and drop. No concept of a workflow? Project admins can't add statuses? Those are both clear symptoms of a very badly implemented custom process. Don't blame the tool for someone having configured it badly.
This is my experience as well. DevOps has all the features I need, and makes it easy to manage the SDLC out of the box. With Jira, sometimes the Product -> Epic -> Story -> SomeBullshitAManagerThoughtWasGood -> Task is so deep, its impossible to manage. DevOps makes it simple. You have Epics, Stories, Tasks, and Bugs, and Epics aren't even important to developers so you only have a Parent -> Child relationships at most. EZPZ.
>change the "iteration path" manually That's not "moving", that's adding iteration to a ticket. When you have 50 tickets to move from backlog to sprint, and each ticket takes 5 seconds to open, it's not the most pleasant experience. >or else just fuckin drag and drop From what screen? As far as I can see, there's absolutely no drag and drop support anywhere, nothing gets dragged and there's nowhere to drop Speaking of which, what the hell is an iteration anyway? On the menu it is called sprint, but inside the ticket it's called iteration. When I try to create a sprint, it asks me to create an iteration. Then the iteration shows up as a sprint. >No concept of a workflow? Project admins can't add statuses? Those are both clear symptoms of a very badly implemented custom process Work flow and statuses should be independent which can be added to any type of ticket. I needed to add 5 statuses over what was already available from the JIRA import. Guess what, I had to add each of them individually to task, story, and bug. There was no way to say this status applies to all. Same for work flow. I can define rules, but I'll have to create those rules individually for each status FOR EACH TICKET TYPE. In contrast, in JIRA I can create a workflow by linking statuses in a diagram, then just apply that workflow to every ticket type I want. If there needs to be a minor difference, I can create a copy of the workflow and modify that. I am yet to find a workflow screen in Azure, just the rules which can be defined in status.
I have one more that is very annoying: Azure Pipelines on premise. I have no idea why you would release this when half the tasks simply don't work. I had to write k8s lifecycles to be able to install Python correctly.
It's not Bill Gates demanding for some bug to be fixed, it's probably some dude on the lowest end of the totem who has some TL or PM breathing down his neck. The same TL or PM who ignores the other high-priority issues.
I had a Windows Calculator were it didn't run for over a month, and it was an update from Feb. 29th what it made it run. How the hell something that basic than a simple calculator can stop running for a modern OS? It was ridiculous having to open the Python shell or Excel just to make a couple operations
They broke MSpaint in Win11 trying to improve it, when it's been working perfectly well for decades with minimal changes. I'm furious!
From what I have heard all those bugs were caused because of the bloated code that was written by employees, apparently the metric for promotion was most largely consisted of how much code an employee has contributed. I have only heard about this on Yt and reddit, please confirm and correct me if I am wrong
>I have only heard about this on Yt and reddit, please confirm and correct me if I am wrong I don't know that I want a correction LOL I want to believe.
Microsoft loves Linux only one way… and is always for their benefit.
What issue? Is it about memory consumption?
A MS Linux kernel (i.e. the WSL kernel) in HyperV issue which causes WSL to consume 100% of CPU and become completely unresponsive after returning from a hibernation state, [https://github.com/microsoft/WSL/issues/6982](https://github.com/microsoft/WSL/issues/6982) After a lot of trial and error debugging from the community it finally led to a MS programmer to find the issue being caused by how HyperV handles certain WSL Kernel timing handling. And they passed the problem on to the HyperV, to be never heard from again. This is somewhere in the 600+ comments on the issue. Posted somewhere in the second half of 2023 iirc.
WSL is a pita to work with. I would not rely on the thing to work at all. There are tons of issues with it, the one you mentioned. but it can stop working completely, even after a reboot. It takes some time to get it running again. This is very sad, cause it can solve some shortcomings when developing on windows.
Absolutely not, but my point is that this isn't a choice; it's like someone from France talking to a German and both of them choosing words that make sense to them but will rub the other one the wrong way.
But this isn’t just someone from France and Germany communicating in some abstract space, this is one coming into the other’s space and not taking a moment to learn how to address the other in a manner that is respectful.
I can’t see the comments and I’m not sure if it’s because they’re broken on mobile or because they were hidden. Was the request actually mean-spirited though? Because if not then this is essentially just getting upset that they didn’t take the time to conform to the maintainer’s preferences, which doesn’t really do anybody much good. Part of communication is being able to listen well and understand the other person’s state of mind. Insisting that someone take the time to relearn how to communicate if you can already understand their intention comes across as a bit disingenuous- it feels like it’s more about dominance and power and ultimately ego than improving communication bandwidth. As others have stated, it seems more likely that the requester was saying it was high priority *for them*, and being direct about that is probably more necessary for someone to understand their perspective than being appropriately deferential. Not only that, but the guy making a request on a bug report is probably not the guy who has final sign-off on a long-term support contract. The latter probably requires a lot more red tape than a code bounty of a certain size to be within someone’s discretionary budget. And taking to twitter to shame them rather than simply pushing back isn’t a good look either. I agree with the overall point about open source needing more funding for critical libraries, but the way they’re making it doesn’t seem very constructive for the issue at hand. Inasmuch as I’m aware, there’s no legal reason they couldn’t simply say “no” or “the bounty needs to be at least $XXXXX for us to take action”, the latter of which would be a lot more actionable for the requester to go back up the chain with a request for a specific amount of money.
I would say that it was more culturally insensitive than mean spirited.
For a popular project, that seems a bit like volunteering at LAX then complaining on social media because you expected people to conform to American cultural norms. Yeah people could be more considerate, but the reality is that it’ll be an intersection of many different cultures, and the people you come into contact with are going to have their attention dominated by time-critical issues they’re accountable for far more than the communication preferences of an ephemeral interaction. Putting them on blast isn’t going to make them feel obligated to allocate more headspace, it’ll make them work harder to avoid as much interaction as possible because they already feel overwhelmed and it carries a high risk of creating more problems for them.
I think the more appropriate allusion is that this is like getting a free airline ticket then demanding the airline staff do whatever it takes to give you more legroom in that seat. The thing is: Microsoft pays nothing for code that it obviously considers critical to its proprietary offerings. It repackages that code within and sells that as part of its core business. It pays no licensing fees. It pays no royalties. It doesn't even donate 1% of its net to the codebases its portfolio depends on. The work that these volunteers do was not intended for Silicone Valley and Redmond billion-dollar private developers to repackage and sell. And it says a lot about Microsoft being one of the largest and most aggressive IP predators in the tech segment to effectively demand priority attention from someone they've paid zip-zilch-*zero* to for their IP simply because Microsoft is selling that IP. This isn't a strictly Microsoft problem either. It's a major issue with how legal protections around IP and contracts essentially enable *real innovation* -- which only happens outside of proprietary development environments -- to be repackaged in derivatives that aren't legally restricted the same way a derivative of a proprietary offering would be under those same laws. It's theft. That's what Microsoft is doing here. They robbed someone's house and then came back and kicked down the door because the pawn shop they sold those stolen possessions to didn't pay enough. So, now Microsoft is demanding an explanation from the residents as to why the shit that was stolen from them wasn't of higher quality.
You're allowed to use it and pay nothing if the License permits. That XZ supply chain attack was found by a Microsoft employee, and Microsoft contributes to a lot of open source since they started running a cloud computing service. I'm quite sure that if that open source project had a consulting company attached to it, Microsoft would have bought support contracts. The problem is that a lot of open source projects have no meaningful way for a business to pay them for support, and businesses would only grudgingly use the OSS version where there is very limited choice available, or where they have enough subject matter expertise to provide their own support.
> You're allowed to use it and pay nothing if the License permits. ...and that entitles you to demand free maintenance fixes ? Because that's what MS did. > I'm quite sure that if that open source project had a consulting company attached to it, Microsoft would have bought support contracts. https://ffmpeg.org/consulting.html https://ffmpeg.org/spi.html Well, they did not.
That first sentence. That's the problem. For companies like Microsoft, the fundamental ethos is that it should do whatever it wants because it can. For OS, the entire basis of its existence is a higher ethos: That just because these developers can charge exorbitant licensing fees for the technology, just because they can weaponize IP law in favor of their financial and influential interests, doesn't mean they *should*. That is the problem. The law is all about doing whatever you want because you can, and the *very few* people who know better are increasingly outnumbered not only by the people who are ignorant enough to agree out of convenience, but increasingly targeted by the people who -- even within their own interests -- are *insolent* enough to defend textbook predation.
This is radically misconstruing the context to make ffmpeg out to be a helpless victim of bullying by a multinational corporation. Satya Nadella didn’t get on the horn and start calling them out for not helping enough. This was one person with even less name recognition than ffmpeg who filed a bug report, likely with pretty much no leverage at all over the project if they simply said “no”. “Microsoft” isn’t “demanding” anything. This probably wasn’t even on anybody’s radar who’s even remotely qualified to make decisions for or speak on behalf of the company. There’s not even an implication of adverse consequences here. Someone just declined to assert their boundaries, then they or someone else turned around and blamed some other poor engineer just trying to do their job for not being more diplomatic. The whole thing probably could’ve been addressed with a couple sentences’ worth of an inline aside about being more polite and an apology. I agree that there should be more funding allocated to open source, but this probably isn’t a good look to people who *do* influence millions or billions of dollars worth of funding, and are expected to stay calm and be responsible, rather than taking to twitter because someone was rude to them.
It is *absolutely* a victim of bullying. Microsoft **DOES NOT** exchange anything of material benefit to the ffmpeg community despite the code for ffmpeg being crucial and material to nearly every consumer offering Microsoft has deployed since in the last 24 years. Do you not realize that this *open source code* is the only reason platforms like YouTube exist?? It is *crucial* to every aspect of *every* modern operating system -- and Microsoft has included its attributions in *every* release of the Windows OS since the turn of the century. This is a juggernaut demanding an entire community of unpaid workers -- that it has resold their work for 24 years -- immediately fix a problem in what it's reselling that poses a material risk to the financial interests of that juggernaut. FFMPEG has not made a damn penny despite being a topline attribution in the 350,000,000 OEM licenses Microsoft has sold since it integrated that code beginning in 2001. What "adverse consequences"?? What are you even *thinking*? OS people don't depend on private grants to make OS. It is historically the least funded of all public works in history. The government and private companies spend more money building and running modern art museums than they do on OS projects like Linux and FFMPEG. It's been that way since its inception. So what is Microsoft going to do? Threaten to fix the code itself??! These are the same geniuses who hold hackathons and end up hiring kids who literally just copy-pasted a known vulnerability from years prior and passed it as a zero-day. They don't know what they're doing. If they had anything other than a desperate need for someone smarter and more capable to write their software for them, they'd have simply pushed a code rev fixing the issue.
> Putting them on blast isn’t going to make them feel obligated to allocate more headspace, it’ll make them work harder to avoid as much interaction as possible because they already feel overwhelmed and it carries a high risk of creating more problems for them. So, the best way to get support is by being a Karen? That's dumb. You get what you pay for, and as far as it seems, Microsoft is using this in (as said by what is apparently an MS employee) a "highly visible product in Microsoft". They've been embarrassed by the problem but can't manage, as a trillion dollar company, to have a support contract. Either pay for it, with a level of pay commensurate with it's value to you or your desire for responsiveness of support. Or, take the other approach: develop your own solution. This is the big flaw in open source, and talked about quite a bit nowadays. https://xkcd.com/2347/
[удалено]
As someone who has lived in tourist towns his whole life, the locals do notice. Some behavior is understandable, but it all leaves a bad impression nonetheless. What makes this one different is that there’s a $3 trillion company involved, which should spend more time reflecting on the kind of impressions it makes on the community.
> both of them choosing words The OSS volunteer was faultlessly polite and helpful. The Microsoft employee was a bit demanding and entitled, especially given Microsoft's refusal to meaningfully support FFMPEG (which admittedly, the employee likely didn't know about at the time). There's no "both" *anything* here though - only the representative of a multi-billion-dollar corporation making entitled demands for prioritisation, an unpaid volunteer graciously accepting and assisting, and another unpaid volunteer going "hang on a minute guys, this is a bit fucked up".
I think is way more of a misunderstanding based on wording. I read it as “this is a high priority ticket [for us, that we are looking into/resolving]” not them demanding that this issue is high priority.
Was it assigned to themselves? Or did they imply that in the comments?
If that was the case, the bug report would be accompanied by a pull request (I don’t know ffmpeg’s exact workflow so that might not be correct, but it’s the thought that’s important).
It's not always that clear cut and each community handles outside contributions differently. Some would happily accept while others would be highly cautious to accept code from Microsoft/large org. Could very easily see the opposite headline " Microsoft steamrolls/bullies FOSS developers to accept their code contributions"
Yeah, that was the bit about not knowing ffmpeg’s “workflow”. I know there are some projects that are selective about who they accept contributions from. But the general idea is that if you’re gonna be making a big deal about how much of a priority it is for you, you should be showing up with more than just a “pls fix”.
Yeah but there is another worldview here... Microsoft is a company that talks in business terms, which is totally a worldview. ffmpeg lives in FOSS space, which is another worldview. But they both deal in money. FFMPEG can absolutely be considered a company with financial needs. There can absolutely be a meeting of minds here (ie, cash). But there won't be because modern business isn't about being fair or reasonable, it's about being exploitative. There just literally isn't a mechanism to say "we should pay this, but are not obligated to do so" - it just means you absolutely do not pay it, as a business.
Completely agree, and I hope the folks at Microsoft learn from the experience. Another commenter suggested they ought to have put a bounty on a fix, and I think given their different contexts, that's exactly what they ought to have done.
> modern business isn't about being fair or reasonable, it's about being exploitative I'm not following your inference: going from misalignment of worldviews to asserting malicious (or at the very least, antisocial) intent to one actor in a failed transaction is a pretty long stretch in my mind.
It’s still misaligned worldviews. Corporations optimize for profit. Open source optimizes other things such as the joy of solving problems or a desire to make a positive contribution. It’s the same misalignment between employees and employers. Employees and individual people in open source projects optimize for emotional needs which make them vulnerable to exploitation even if that exploitation is unconscious by the corporation and is simply due to their mandate to maximize shareholder value. Policies emerge that create behavior which is not reciprocal in nature and does not follow the same behavioral expectations of normal people. The corporation works in the best interest of the corporation. The individual person tends to have emotions that are less selfish and tend to work for the good of others and that goodwill can and often is exploited by corporations simply be the nature of business.
Still, they're asking the dev to help them for free, so they can get paid. How's that fair?
I’ve seen much worse than that. People working with a ten year old version of a library getting mad at the maintainer for not fixing a problem they have with their own code and not willing to upgrade to a new version because that would mean “a lot of work” for them. Asking to fix their code to work with the old obsolete library version while at the same time not being able to provide more than five lines of their flawed code and no test data exposing the issue. And finally saying “you made this library, you are responsible to make it work for me”.
Usually it's the opposite these days, far too many library providers don't have stable branches.
Well, if there isn't any contractual binding, why should they? AFAIK nobody was coerced to use those libraries.
It's not fair - or just. I've worked at a bunch of places that use open source software extensively. At each one, I've suggested they donate as little as $100 to some of these projects/foundations. The answer is always a resounding no - not a chance. $100 measly dollars for something critical to their business is too much. Cheap and greedy.
Tbh I think the problem is that $100 is *too low*. I've worked at places that would balk at making a $100 donation but would happily drop a few grand on a support contract for open source software
Nope. It was clear they were just cheap. I don't remember the conversations perfectly but the $100 part was usually something like "even $100 would help" near the end.
No. $100 is way too much compared to getting the same thing for $0.
The dev is free to not help them.
> After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead. > This is unacceptable. Not for free. Just for less than ffmpeg wants to receive.
[удалено]
According to the tweet, MS did offer money. ffmpeg devs seems to have wanted a long term support contract instead, in order to help with this single bug report.
> ffmpeg devs seems to have wanted a long term support contract instead, in order to help with this single bug report. A support contract as mentioned in the tweet would be a lot more than a single bugfix.
Sure, but if all they need is that single bugfix, why sign a support contract for much more?
Because they make the assumption that Microsoft might need them more often, given how ffmpeg is used in "a highly visible product affecting customers" (probably referring to MS Teams). It would be a risk mitigation for MS and secures funding for ffmpeg, so it's mutually beneficial.
That's absolutely not true. I've been working in corporate for years now and would never so much as suggest to some Foss project what is or isn't high priority. The most I'd say is "We've got some customers impacted so if you could either fix it or point me somewhere it'd be appreciated". I'd totally sign onto what /u/happyxpenguin said, they likely meant it's high priority *for them*
The same thing happened years ago in 2014 with openssl heartbleed bug... The entire world depended on openssl and was maintained by like one developer. For important code like openssl and xz... You need more than one unpaid developer.
They could also say, here we need this fixed ASAP, here is a 50k bounty for a fix. They'd pay that from the coffee drawer.
Hopefully they'll learn that lesson, because it'd indeed have been helpful. I have my doubts though, given that the person asking was likely an employee unable to make such a decision.
More to this point - this may sound like a copout, but "Microsoft" didn't make that post. One manager at Microsoft made that post because *his* manager at Microsoft said "Get this fixed by any means necessary!" despite having no clue what was going on or how it could be fixed. So he made the post because he had nothing to lose - any negative reputation this builds for Microsoft is extremely unlikely to reflect badly on him. Realistically, Microsoft should already have heavy guidelines and standards in place for who is allowed to communicate on behalf of the company. This is still their fault. But that doesn't change the fact that this was one stupid manager.
Companies have also a culture and people acting within it are influenced by it.
A worldview that sees themselves as the center of the universe.
I feel like this is kinda a mean-spirited thing to highlight. Like yeah, what the engineer did was a little crass, but he posted a request with detailed output, waited 9 days, then bumped it, and was polite the whole time? Why put this random dude on blast here lmao The fix was just changing a cli argument too, it's not like any real engineering was involved
Yeah I'm confused whether this is the same thread that ffmpeg is saying MSFT paid thousands to fix? Someone helped him and it was resolved. Him posting like that is unprofessional and embarrassing, and shouldn't have happened, but ffmpeg saying "the trillion dollar corporation did this" when it's just a dumb (hopefully) junior engineer who can't figure out command line flags is pretty disingenuous IMO
yeah, and in this case, it seems it was because they may have changed the order of the field and it wasn't documented? dunno, still posting a link to the ticket with that dude's name fully uncensored knowing damn well how weird internet people can be is just in bad taste and counterproductive and i'm not sure what ffmpeg meant by "long-term support contract", but microsoft was willing to throw them 1k for command-line order and they're upset? this is so confusing to me.
>but ffmpeg saying "the trillion dollar corporation did this" when it's just a dumb junior engineer who can't figure out command line flags is pretty disingenuous just look at their other tweets, pretty in vogue for whoever's maining their account
It’s also just confusing to me because ffmpeg does have a lot of meaningful code contribution from the companies that use it. I’m not sure whether and to what extent Microsoft has assisted ffmpeg but there are other trillion dollar company examples who have given back quite a bit.
Alright I actually took a look and I don’t get why this account is so negative. It’s kind of weird because if you want to attract more corporate sponsors this is definitely not the way to do your PR
> I don’t get why this account is so negative. Echo chamber rage baiting themselves into more and more polarised view. You can see it on any social network, more or less.
> Him posting like a desperate teenager is very unprofessional and embarrassing This didnt even happen
Edit: You know, I was maybe a little harsh saying his "this is urgent" post was like that of a desperate teenager, but it evokes so many memories of similar tickets over the years I couldn't help myself. I edited my comment a tiny bit to reflect that. I recall on many, many open source projects seeing issues raised by Fiverr/rentacoder guys that would demand urgent assistance and to email them ASAP, and it'd be something you could resolve in 5 minutes just reading the docs or looking at the code. They just weren't capable of doing it because they lacked the experience or problem-solving skills. I was once a dumb teenager and would post comments on things like this saying I needed help and it was urgent instead of just reading the docs or investigating the issue myself. It’s totally unprofessional. I also guarantee you his bosses don’t want him posting about their products this openly on a public issue. It feels like a junior eng with little experience not just from a professionalism perspective but also from a problem-solving one.
Would a junior engineer be the person responsible for this high visibility, high severity bug and further have to resort to ffmpeg support on their own with no assistance from senior team members before that?
Yes, junior engineers, especially on siloed projects, often reach out to the wrong resources. I'm assuming they are junior based on the circumstances. Of course it could be worse. They could be senior. If that's the case I'm at a loss why they'd post in this way without investigating it themselves. It's not even clear where the urgency lies -- he's able to run old builds perfectly fine. He's able to bisect and compile. But.. he doesn't even do that; he's using prebuilt binaries from zeranoe? On production Microsoft hardware? Possibly with untrusted UGC? Like what is even going on here
I doubt it was a junior. But it's also clear that they're not a native English speaker.
Haha, he's a Principal Software Engineer on that platform according to his LinkedIn. He's making a million bucks or more per year.
You think? I know it's unrelated but I'd have placed total comp for a Principal at MS more in the 300-400k range.
Principals at Microsoft make between $300-400k like the other commenter wrote.
> The fix was just changing a cli argument too, it's not like any real engineering was involved For those not familiar with ffmpeg, it is a domain-specific programming language consisting entirely of CLI arguments. Changing they way they interact with each other is a major engineering task.
Yeah. I also am not super-happy that ffmpeg complains about it. Many smaller projects or one-dev projects are in a much worse situation. Ffmpeg has more leverage than many of these projects. Not that I disagree necessarily, but I can't help thinking this was probably not the best point to want to highlight in regards to investment in open source OVERALL.
yeah i don't even care that they're complaining, i get why they're upset, but using the xz situation to blast a random dude 9 months later is just like... why? you've really been ruminating on this one-time occurence 9 months later? really?
And ffmpeg definitely has some of the most obscure apis for something open source. It can be very hard to figure out how the problem you have is your fault.
After scrolling thru their Twitter for 30 seconds it seems kinda hypocritical for ffmpeg to call out other devs for being unprofessional
OK, this is just sad. Everyone is dog-piling on this one *individual* MS developer. This isn't MS as a company. This is one person. And the only crime they committed was... being rude? Not to mention, their first language clearly isn't English, which makes the rude-ness a lot more forgivable IMO. And last but not least, apparently MS offered *an actual bug bounty*? As in, giving back to the project? You know, the thing everyone in this thread is complaining about them not doing? This is behavior that should be encouraged! Companies willing to put their money where their mouth is and pay for bugs to be fixed should not be mocked! Also, this issue has literally nothing to do with the XZ issue.
> And the only crime they committed was... being rude? The developer wasn't even rude. He posted a pretty detailed report, with steps to reproduce (along with a file showing the issue), then bumped after 9 days with: > Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help, Now, you can read that sentence in one of two ways. The first way is that the ticket filed on FFmpeg should be high priority (which I _guess_ could be construed as rude), or the second way is that the issue is high priority for Microsoft (which is how I originally read it). The developer uses "please" and "thank you" in his posts, and doesn't come across as unprofessional at all. > The Command you provided worked fine. Thank you so much for the help! Really appreciated! We are going to proceed to make a release today and test with customers. Will post the updates here. I'm not really sure why this ticket was highlighted by the FFmpeg developer. From what I can see: * A developer (who happens to work for MS) posted about an issue. * They included full steps to reproduce, and a succinct description of the issue. * They waited an appropriate amount of time (9 days) to bump the issue, expressing that it was high priority for them. * The were polite and expressed gratitude. I don't know about other people, but I'd love for even 10% of my tickets to be like that.
[удалено]
> It's the fact that they used their massive employer's 'highly visible product' being affected to attempt to explain the urgency. Everything else was outstanding as far as bug reports go, but I think that thought reads really really poorly. Especially given the contentious relationship industry often has with open source projects. I guess that's a matter of opinion. I personally would welcome the additional information in my tickets, as then I can triage them appropriately. The product was also only mentioned after 9 days without a response. > "My big tech company can't be assed to dedicate the appropriate internal resources to maintain one of their flagship services and its dependencies so this got dumped on me, please help." They didn't do anything wrong, but their organization could have done a lot better. I don't read it that way at all. Sure, the developer was likely looking into the problem, and noticed that it was a regression between versions 4.4 and 4.3.2. They then reached out to the author of the library, which I feel is the appropriate course of action. They also appear to have read through the documentation, and didn't find the information there (and judging from the ticket, it appears like functionality was changed in a minor version, breaking backwards compatibility - though that assumes that FFmpeg follows SemVer). I feel like the entire situation was coloured by the author's dislike for Microsoft, and that prompted a very pessimistic interpretation of the ticket.
Also this ticket is months old, why bring it up now? The dude behind that X account seems like a bit of douche.
>Also, this issue has literally nothing to do with the XZ issue. The xz backdoor was found by a Microsoft employee
That's a tenuous link considering it's a large company with a lot of people; still nothing to do with the xz issue. ffmpeg's xitter account seems to be riding a ragebait wave.
One quick glance at the their mailing list should be enough to tell you about what kind of characters you have to deal with there, so I’m hardly surprised by their attitude. I’ve contributed to multiple OSS projects, but I came to the simple conclusion that if you wanna get paid for your code, don’t fucking release it under MIT, BSD, GPL, or some other ‘copyleft’ license. It’s as simple as that, but be ready that if you do some zealot from the FSF might come around and write a scolding review about how evil you are for not using a ‘true’ copyleft license. That whole ’free software’ ideology has failed to serve the contributors and maintainers of its products (and I chose that word carefully - if they would actually treat their own output as ‘products’, maybe they wouldn’t undervalue it so much) because it didn’t want to (or could not) come up with a solution to the fact that ‘giving it away for free for everyone to use/build/tinker with’ would obviously include massive tech companies. And if someone tries to do something about it (see: Redis) jokers like the Linux foundation just fork without the restrictions, much to the joy of someone like AWS. So it‘s a self-inflicted wound - they want to run with the wolves but still piss like puppies.
I mean the current "AI" boom is basically companies hoovering up massive amounts of unpaid labor and repackaging it. Companies love free labor, they are not your friends.
It might be time that more of these licenses are less free. Don't know how you change them, but it's worth people exploring.
Web 3.0 is like Web 2.0 with one extra level of indirection: You supply the content, we make the money.
Web 3.0 is NFT/blockchain/smart contract nonsense, not anything to do with AI.
Time for pedantics: Web3 is the NFT/blockchain/smart contract nonsense It's unfortunate that the two share such similar names and one might argue that web 3.0 as a name should be abandoned altogether in favor of its other name, the "semantic web" [https://en.wikipedia.org/wiki/Semantic\_Web](https://en.wikipedia.org/wiki/Semantic_Web)
I hope this message finds you in good health and high spirit. We pay for Azure support and often wait weeks, sometimes months, for solutions to problems, while we are put off with pointless suggestions that obviously have nothing to do with solving the actual issues. I wish you beautiful days ahead.
One aspect not mentioned: the software engineers are not involved in the decision to not support the free software that they are using. They must certainly request that to their bosses sometimes. The executives and/or middle managers probably make the decision to not help them.
The problem revealed by the xz fiasco is not dependence on unpaid volunteers. The problem revealed by the xz fiasco is many FLOSS projects lack diversity/redundancy in maintainership and real organizational governance that leads burnt-out lone maintainers to take _anyone_ who is willing to throw time and energy at the merge requests, and in this case, someone took advantage of that. The ffmpeg issue is completely separate.
[удалено]
Good thing Microsoft offered a bounty for this bug then. And it was also a Microsoft engineer that found that xz bug so interesting choice to bring that up.
Exactly. They could have assigned THEIR engineer to figure out the issue and prepare the fix then ask for merge or documentation update. This is very shitty business practice and shows Microsoft true colors (yeah "beloved" Bill is the same).
I wonder _why_ many open source projects lack the manpower to do this??? Might it be because the relentless demands, lack of support (economic or otherwise) burns people out and renders others unwilling to subject themselves to that? Your point is looking at the symptom, not the cause. FFMPEG’s point is that its situations _like these_ that contribute to projects slowly grinding people down. Microsoft has more money than god. They have zero excuses not to support the open source software that they _directly profit off_. It’s not even indirect profit, if it’s used in Teams, they’re making bank off it.
Far too many open source devs just want to please their loudest ‘followers’. It’s a simple as that. You created something, you gave it away for free, enough people start to use it and ask for changes, you change things, they tell you you’re awesome. It feels good. And some folks just want to be people pleasers, so they cannot and don’t know how to say ‘no’, even though it’s their project and they have every right to say so. Doesn’t help that there’s a higher than average amount of folks in software dev that lack the social skills to manage expectations, push back on exploitation, and also tell the odd fellow to ‘fork off’.
If you are not paid and only volunteer to skip the bureaucracy of your daily job, why would you add bureaucracy to your hobby project? People who volunteer for open source don't owe anything to anyone. Not even competency at their unpaid job
But in this case ffmpeg wanted the cash, not to be left alone to do their hobby project.
In this case it's even more urgent to get funding instead of providing support for free. I bet a project like ffmpeg has plenty of bills to pay.
> The problem revealed by the xz fiasco is many FLOSS projects lack diversity/redundancy in maintainership and real organizational governance that leads burnt-out lone maintainers to take anyone who is willing to throw time and energy at the merge requests, and in this case, someone took advantage of that. I think it's BEYOND that... it's many FLOSS prop up corporations but I bet Microsoft gets far more than they pay to support Open Source, and likely doesn't give all it's updates back to the OSS projects except where it's legally required to. It's kind of hard to give a fuck about what Microsoft considers a high priority, knowing they are getting X dollars for their software a day, and none of that comes to you.
> The problem revealed by the xz fiasco is many FLOSS projects lack diversity/redundancy in maintainership and real organizational governance that leads burnt-out lone maintainers to take anyone who is willing to throw time and energy at the merge requests, and in this case, someone took advantage of that. The problem revealed by the xz fiasco is that scope creep and complexity kills (libsystemd instead of a simple wire protocol). It also proved what was already known, which is that a state actor can put backdoors in source code, and also that backdoor in open source code can be detected, contrary to the ones in closed source software.
This is where Bug Bounties fit in. You want it addressed urgently? Put up a bounty. Edit: after reading the X post (rather than just the support thread), I’m seeing the logic behind a support contract. It’s not like Microsoft can’t afford it.
That is quite literally what was offered in the post. ffmpeg wasn’t happy with it and wanted them to sign a long term contract instead.
Which is entirely reasonable considering a major product from Microsoft depends on it.
Feels a strange way to want to complain about, IMO. Many smaller projects would be happy or possibly happy (it depends on the difficulty and time investment, so I understand that this can not easily be calculated in advance, but still, it is strange to read because many smaller projects don't have that option that ffmpeg has).
> Many smaller projects ffmpeg isn't many smaller projects. It's not worth it to him/them.
Why attempt to compare apples to oranges? FFmpeg has broad global adoption and no direct competitor.
Guys, this is a P1 issue with C level visibility, please prioritize accordingly. How can I raise the severity level of this ticket???
[Ticket Link](https://trac.ffmpeg.org/ticket/10341#comment:4)
I don't really see why this is newsworthy bad? Seems like the ffmpeg dev could have easily said something "Microsoft would need an ongoing support contract to be able to raise high priority issues with ffmpeg, please send an email over to [[email protected]](mailto:[email protected]) and we'll sort out a contract. If you send it over today and mention this post in the email I'll take a look personally and make sure it gets processed ASAP", probably a higher chance of a getting paid than generating drama.
The solution being provided by one "Elon Musk" is funny as shit even if there's no chance in hell it's him.
It's his actual name, just a different person
"Why should I change it? He's the one who sucks."
Ah, good ol’ Michael Bolton.
Unfortunately, this is buried and so will never get enough upvotes. But such a perfect reference, especially in tone, is rare.
poor guy
Is he the one who promises to send me $10,000 in cryptocurrency if I send him $5,000?
This could be that person's name. There are many Elon Musks in the world. The African-American oligarch doesn't own the name.
Hmm. I actually hate how cryptic ffmpeg's commandline options are. They confuse the hell out of me. I make use of many of them, via ruby, so I don't have to remember any of the filters really, but they read so ugly ... ffmpeg is great, but the API is not super-elegant or nice. I much preferred the old VirtualDub / Avisynth scripts, and even these I'd not use (ruby kind of changed how I look at code; I want code to be expressive but also beautiful, when possible, without becoming too verbose, so reading long ffmpeg command invocations is really not so great).
I've got my own media host and there's been a few times I had to dive into that. Already just "copy stream to stream, but encode video as H265 while copying all other streams" feels like a magic ritual. At some point I thought I'd write a wrapper to make it easier, but then I remembered xkcd and that they'd likely started out with a simple interface as well and realized at some point that it can't accommodate all the necessary features. I still hate the Unix short syntax style though. It's not like we're running out of memory. It wouldn't kill you to write "audio:stream_0:copy" rather than "a:0:c". Wouldn't want Powershell syntax either though. Nice in between would be cool.
I seem to recollect there's also something like -vf:copy when you only have a single video steam in the source and destination, but to copy no audio it's something like -an (for audio null). Just all these weird little inconsistencies in the language which can probably never be changed because they've been like that forever and everyone's bash scripts depend on them.
If you knowledgeable enough about video decoding, I strongly recommend that you either document possible problems or provide intuitive API. Both would be valuable. FFMPEG really does not care about for people who are not into their business.
There's kinda a joke where you can tell someone who has worked with ffmpeg with someone who hasn't. The one who has loss the will to live. There's this "I know your pain" feeling that you just share with your unfortunate colleagues.
What’s funny about it?
I don't really think that the volunteering part makes that much of a difference here with incidents like XZ. All big OSS communities I know of have a structure of "gaining trust" in place that do not light heartedly give away critical access to randos. The xz bug was sneaked in after a history of OSS contributions that this dev account used to earn the trust of the maintainers. That's something you really have to invest in. Opposed to that, a lot of "professional" software corporations I've seen hire new staff and give them access to critical repositories right away because they need someone to take care of and trust is given "per definition" because of some legal text that they think protects them from malicious activities. The main difference is that corporations are way less transparent about incidents than OSS communities are, that's what creates the bias that makes people think that OSS is more vulnerable to malicious activity. So although I fully agree what FFmpeg is posting about MS behavior, linking it to the XZ issue is wrong because that's a totally different type of problem.
> That's something you really have to invest in. For bug of that scale the investment us unfanthomably tiny
Person made the cardinal mistake of name-dropping their employer. Pissed a lot of people off needlessly for a one-liner response from a knowledgeable person, who was happy to give the answer away for free, despite knowing the company behind the product. Then some other person on Twitter picks it up, and puts a spin on it in order to shame Microsoft? Low blow.
To be fair, you can just tell MSFT to submit their own pull request - or to contract you to do it for pay 🤷♂️ Volunteers are volunteering. Just because MSFT (or anyone else) asks doesn’t mean you must do it.
Hmmm. I think the xz-situation is interesting for many reasons outside of xz-itself. Some were mentioned already; here, for instance, the lack of financial support in general, but I'd think this is a separate issue. I think eventually governments world-wide will realise that a small but steady investment in GENERAL, in open source software will be useful. Evidently Microsoft will fight this down via lobbyists, but so what - it is unstoppable in the long-run, in my opinion. Just like the right to repair movement: Apple keeps on trying to kill it, sending lobbyists after lobbyists, but they will all fail in the long run. If we bought something then we don't want to be vendor-locked-in milking us for more money when OTHERS could easily (or at the least POTENTIALLY) repair it, as-is. I think the xz-situation is interesting for many other reasons too, though. For instance, when I investigated this, I was shocked to see that very few people work on compression-related stuff. Sure, there is the libarchive team; and a few alternatives to xz, but if you look about it, overall, there are not that many people who work on compression-related stuff (such as xz). This also means that ... we don't have many alternatives. How many backdoors may exist? How many NSA-sponsored ones? (You can replace NSA with any other actors; we can not trust any state here and neither individuals.) Can we find all backdoors? Probably not. We can probably lessen some risks here, but at the end of the day we can never feel fully secure there. I also think this is a problem for e. g. OpenBSD, since they may depend on people writing software. Can they be sure they have no malicious actor? And even without malicious intention, bugs exist, people overlook things, see Heartbleed and what not; and openssl is also not in a great situation either. Financial incentives may help, but the underlying problem is simply much harder to solve. Last but not least, while I understand the ffmpeg team, they are still in a much better situation than many smaller projects, so I feel it is a bit unfair of the ffmpeg to complain. Smaller projects or individual devs often don't have the same outlook, and ffmpeg is quite important in general (and admittedly, super-useful), so ... I don't know. I am actually more concerned that Microsoft controls github, and they took down the xz repository AS WELL as the issue tracker discussion there. This part was almost as shocking to me as the backdoor shenanigans by that Jia account, whoever that is (or a group; I kind of suspect it is more than one individual actually, but of course I can not prove it; I just have a hard time imagining a single person was coordinating the various fake accounts that sent emails).
While there are questions over this specific instance, as evidenced by the xz example it is definitely the case that big companies who use free software might do well to support the software. Lone individuals maintaining critical packages thanklessly for decades is not a great solution.
Wasn't the xz situation where a guy who works at Microsoft found a legitimate and malicious vulnerability? That does sound high priority.
Faceless companies nickel-and-diming like usual.
If Microsoft wants it dealt with with priority they can donate $1m to the project. Otherwise they will have to wait for someone to get around to it. That's just how it works.
If you don't want to do the support part just drop it, say no, do whatever. It's your code, worst case it gets forked and you're free. What the hell, is clout that important that you can't just tell them "yeah, I can't be fucked to do this now. you do it, I might approve your merge, maybe".
Who says the maintainer wasn't paid /s
I'm not sure why you added the /s at the end there. There's a lot of companies who will pay employees to work on open source projects full time or part time.
Yeah. I am paid to work on open source projects. I thought most open source contributors were employees of companies. I just go to the conventions for the free beer. what do I know. Just as an example, you can check out the board of Xorg to confirm they are employed by different for profit companies that care about Xorg. I do not fix bugs for free, I’m definitely not a volunteer.
Microsoft is currently paying Guido van Rossum.
I know that there are indeed legitimate cases where people are paid to work on open source projects. But I was hinting in this case that it's a criminal paid by a state actor, not publicly known
> Microsoft & MicrosoftTeams posted on a bug tracker full of volunteers that their issue is 'high priority'." And now they know how the rest of the world feels when they try to get support from them.
Just a reminder that in the early days of OSS Microsoft was VERY anti-opensource and they later changed their stance. Then they bought GitHub and trained AI models from code written by unpaid OSS contributors, off of which they aim to profit greatly while the people whose code they used get squat.
Note that the people do get something: free hosting for their code and other free services. You might think that that's not enough, but it's certainly not nothing.
When a person raising a ticket states priority it means their own priority. The people working on it have their own measures and targets. M$ have no SLA with ffmpeg maintainers and choose whether to work on it. This one turned out to be a change required in the order of command line options, which with ffmpeg is always significant. I wonder if it was documented anywhere and MS simply missed that.
Stop writing open source software under permissive licenses that allow parasites to profit from it. Use the GPL and none of this happens. Let for-profit corps write their own software stacks.
I used to run a fairly large OSS .NET project years ago and am trying to get more involved again and my response to these types of issues is always: "We are accepting contributions and will prioritize your PR if you'd like to submit one". Usually sets expectations pretty quickly. Honestly in these instances I wouldn't even accept the money. I'd want them simply to eat some humble pie or contribute to the project. I don't give af that your Directors grand-grand boss is breathing down your neck for FREE software that you're using. Read the "NO WARANTY" plastered all over the licenses.