So, other than the obvious writing things in #C in the 21st century, how did #Google fuck-up on the #webp implementation?
Conversation
Notices
-
Embed this notice
LisPi (lispi314@mastodon.top)'s status on Monday, 02-Oct-2023 11:50:52 JST 
LisPi
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 02-Oct-2023 11:50:51 JST 
翠星石
@lispi314 Google's programmers just programmed it wrong.
All software in all languages have bugs, the important part is just to fix the bug and move on.
If you aren't writing in holy GNU C in the 21st century, what are you doing? -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 14:44:56 JST 
pistolero :thispersondoesnotexist:
@kirby @lispi314 @sysrq C is a delightful language. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Monday, 02-Oct-2023 14:44:57 JST 
Pleroma-tan
@lispi314 @sysrq cc @p -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Monday, 02-Oct-2023 14:44:58 JST
Pleroma-tan
@lispi314 cc @sysrq @p @everyone who writes c -
Embed this notice
Lina Inver?e (lina@eientei.org)'s status on Monday, 02-Oct-2023 19:56:11 JST 
Lina Inver?e
@m0xEE @p @kirby @sysrq @lispi314 i think there are paid google shills actually using webp because literally nobody uses that format except google shills -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Monday, 02-Oct-2023 19:56:13 JST 
:marseyloadingneon: m0xEE :marseyloading:
@p
Yeah, same here! Even in Firefox I have them disabled with image.webp.enabled=false, same for VP9 with media.mediasource.vp9.enabled and probably some other Google shit that I don't even remember of.
And there've been only a few cases when I cared enough to actually download the file, convert it manually and see what's in it. Most of the time I just ignore them :marseysmug2:
Problem is, I've been encountering these more and more often in the wild as of recent. I suspect, that one of the authors of some Fedi software like Firefish has decided that saving a few kilos is worth it and implemented an automatic conversion to WebP — I just can't imagine that a lot of people have decided to adopt it all of a sudden, especially with all those vulnerabilities discovered.
I remember when they did it in Nitter and I had to patch this shit out myself for my instance. Why people decide to adopt it is beyond me — like I said earlier, the advantage is negligible in absolute most cases, even if it's only a few lines of code, the added complexity is not worth it. And I don't even see a lot of interest from developers TBH, there a just a few people, who run around submitting these patches and devs usually just go with it because: "Why not? Looks good on paper!"
Anyway, I should probably start a media proxy or something, that would do the conversion for me. Or maybe I should just keep ignoring WebP images — haven't decided yet :marseylaughwith:
@kirby @sysrq @lispi314 -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 19:56:15 JST
pistolero :thispersondoesnotexist:
@m0xEE @kirby @lispi314 @sysrq
> Does anyone of you use WebP for any other purposes except for posting it on the Web?
I don't use it for anything besides seeing shit that people haven't bothered to convert to a good format yet. -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Monday, 02-Oct-2023 19:56:17 JST
:marseyloadingneon: m0xEE :marseyloading:
@lispi314
I think C has little to do with it, the biggest problem is that while it's being considered "an open standard" by many, it's not that — there is only one major implementation and it's Google's own implementation, others have little to no interest contributing to it as it will remain Google's implementation in any case.
So having sole implementation that is used, in addition to obviously very popular Chrome itself, it's used by a lot of software. If that software has anything even remotely to do with images — why don't we add WebP support, right? So in addition to all the browsers, this shit is now everywhere.
Why the fuck down ffmpeg in my system depends of libwebp? I don't know. Does anyone of you use WebP for any other purposes except for posting it on the Web? I don't and I doubt that anyone does — it's advantages over existing formats is negligible for personal use, but it still makes sense for Google as they serve petabytes of data and even 10% makes a huge difference.
I might have digressed, but anyway — as it is used in software that is present virtually in every system and in addition to that, it's the same implementation, it makes libwebp a very attractive target for attacks. Monoculture is never good. These sole implementtion is closely studied by those, who intend to exploit it — this is where C factor might come into play.
Another problem is that Google doesn't give a fuck about how and where their library is used. Because they only care about how it's being used in Chrome — Chrome offers some means of isolation, if one tab gets compromised, others are safe. And to me it looks like that is exactly what they think: "Oh, it's not that bad, it's isolated!" And that is true, and same is true for Android. But is it isolated in ImageMagic — no, it's not. And when this vulnerability has hit the news, that is exactly what one person came up with in comments on HackerNews: let's isolate/containerize it for ffmpeg and ImageMagic too. That's insane! Nowadays it's assumed that everything is isolated/containerized — but in reality it's not. And it shouldn't be!
@kirby @p @sysrq -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Monday, 02-Oct-2023 20:21:46 JST
:marseyloadingneon: m0xEE :marseyloading:
@lina
Problem's with the devs merging such PRs as to them it looks like adding a new feature with zero maintenance.
In reality, with all those vulnerabilities being discovered, it turns into shipping an update every time this happens. So developers and project leaders should start being more picky — and I think they will.
@p @kirby @sysrq @lispi314Lina Inver?e likes this. -
Embed this notice
laurel (laurel@freespeechextremist.com)'s status on Tuesday, 03-Oct-2023 10:34:39 JST 
laurel
@m0xEE @kirby @lispi314 @p @sysrq
(schizo take)
Webp is intentionally vulnerable so that they can push mandatory media signing modeled after ssl certification (c2pa.org, basically digital identity with certification authorities being the issuers).
di.png -
Embed this notice
✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Wednesday, 04-Oct-2023 04:54:23 JST 
✙ dcc :pedomustdie: :phear_slackware:
@laurel @m0xEE @p @kirby @sysrq @lispi314 pistolero :thispersondoesnotexist: likes this. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:28 JST
pistolero :thispersondoesnotexist:
@thendrix @m0xEE @mia @kirby @sysrq @lispi314
> I finally hear people asking for templates to be removed.
Yeah, good luck removing anything though, the language is just feature-Katamari. -
Embed this notice
Terry Hendrix II 🏹 (thendrix@social.hendrixgames.com)'s status on Wednesday, 04-Oct-2023 09:23:28 JST 
Terry Hendrix II 🏹
They finally gave up on GC, and with a shortage of “actually” educated developers they may have to scale back. You can’t just have a thousand people writing CoCs. :joker2:
pistolero :thispersondoesnotexist: likes this. -
Embed this notice
Terry Hendrix II 🏹 (thendrix@social.hendrixgames.com)'s status on Wednesday, 04-Oct-2023 09:23:29 JST
Terry Hendrix II 🏹
C++ is only still popular as it ships with a compiler for a better language. Good luck trying to outrun the binary interface of C to anyone dying trying.
I finally hear people asking for templates to be removed. They’re getting closer!
-
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:30 JST
pistolero :thispersondoesnotexist:
@m0xEE @kirby @lispi314 @mia @sysrq
> They have already added like five ways to format a string to it.
Maybe it was an interview question at Google and Guido just merged it whenever someone had a good answer.
> let's add static typechecking to Python!
Oh, they're doing this with Ruby, too. I can understand the reasoning that it makes some optimizations possible that would not be otherwise, there are new and exciting runtime errors you can experience, and there are compile-time errors, but if I wanted that, I know where to find the languages with static typing. The reason these languages are nice, the advantage they have is that you can kind of smear things around, you don't have to know where you're going, so they're great for prototyping, small scripts, exploring a weird dataset interactively.
:bwk: Kernighan gave this talk, something like "How to accidentally succeed at language design", it was really great. He talked some about awk, and noted that the domain was constrained. Then you see things like Ruby or Python or Java trying to be every language and making a mess of it; the worst offender is probably C++. I forget if it was him or dmr, but one of them said that a language that doesn't have everything is more useful than one that does. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:32 JST
pistolero :thispersondoesnotexist:
@mia @kirby @lispi314 @m0xEE @sysrq
> '${f%.webp}.gif'
Python does some Perly shit sometimes. -
Embed this notice
:marseyloadingneon: m0xEE :marseyloading: (m0xee@breloma.m0xee.net)'s status on Wednesday, 04-Oct-2023 09:23:32 JST
:marseyloadingneon: m0xEE :marseyloading:
@p
They have already added like five ways to format a string to it. They way they came up with originally was horrible, but I still hate what they keep doing to this poor language, it feels like a garbage dump with all those features slapped on top of what it originally was:
— Typescript is so much better than regular Javascript, let's add static typechecking to Python!
— Woah, cool, les go-o!!!
:marseysob:
@mia @kirby @sysrq @lispi314 -
Embed this notice
mia (mia@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:34 JST 
mia
@p @kirby @lispi314 @m0xEE @sysrq
Yeah ffmpeg, there's some loss with gifs - you know how touchy they can be. -
Embed this notice
mia (mia@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:34 JST
mia
@p @kirby @lispi314 @m0xEE @sysrq
for f in *.webp;do echo "$f";python3 -c "from PIL import Image;Image.open('$f').save('${f%.webp}.gif','gif',save_all=True,optimize=True,background=0)";done
That also works, kinda. -
Embed this notice
mia (mia@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:35 JST
mia
@p @m0xEE @kirby @lispi314 @sysrq
Having a cron job to split webp into frames and gif multi / png single frames has been very nice.
> But it's sub-optimal.
t. Google software fans. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:23:35 JST
pistolero :thispersondoesnotexist:
@mia @kirby @lispi314 @m0xEE @sysrq
> Having a cron job to split webp into frames and gif multi / png single frames has been very nice.
You just use, like, imagemagick or ffmpeg or...?
> But it's sub-optimal.
Ah, they think they're the whole internet. Maybe at some point we can just wall them off and they won't stop us because they won't notice. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 09:24:34 JST
pistolero :thispersondoesnotexist:
@thendrix @m0xEE @mia @kirby @sysrq @lispi314 C++ doesn't have a CoC, though. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 04-Oct-2023 11:00:47 JST 
anime graf mays ?️?
@p @thendrix @m0xEE @mia @kirby @sysrq @lispi314 neither do people who develop with rust :oh_shit: pistolero :thispersondoesnotexist: likes this. -
Embed this notice
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 11:01:26 JST
pistolero :thispersondoesnotexist:
@graf @thendrix @m0xEE @mia @kirby @sysrq @lispi314 Rust has a CoC, though. You don't have to sign jack shit to write a C compiler. -
Embed this notice
Terry Hendrix II 🏹 (thendrix@social.hendrixgames.com)'s status on Wednesday, 04-Oct-2023 11:01:58 JST
Terry Hendrix II 🏹
My point was the Next Generation will star they/thems that “focus on things more important than code” when it comes to language design like good Marxists.
pistolero :thispersondoesnotexist: likes this. -
Embed this notice
mia (mia@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 11:02:12 JST
mia
@thendrix @graf @p @m0xEE @kirby @sysrq @lispi314
“Next Gen”
They opted out of that.pistolero :thispersondoesnotexist: likes this. -
Embed this notice
Terry Hendrix II 🏹 (thendrix@social.hendrixgames.com)'s status on Wednesday, 04-Oct-2023 11:03:07 JST
Terry Hendrix II 🏹
They’ll boldly go where no womxn/a/e has gone before.
pistolero :thispersondoesnotexist: likes this. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 04-Oct-2023 11:03:09 JST
anime graf mays ?️?
@thendrix @mia @m0xEE @p @kirby @sysrq @lispi314 to a new dialation station? pistolero :thispersondoesnotexist: likes this. -
Embed this notice
mia (mia@freespeechextremist.com)'s status on Wednesday, 04-Oct-2023 11:03:12 JST
mia
@thendrix @m0xEE @p @kirby @sysrq @lispi314 @graf
As soon as they overcome their crippling social anxiety.pistolero :thispersondoesnotexist: likes this.
-
Embed this notice
All GNU social JP content and data are available under the 