Lean/mathlib seems a fantastic system, but in my brief experience it fails in a way that is very common between academically oriented software which is the handling of scopes and names;
For example some imports introduce definitions in your module scope (sometime transitively) others do not, automatic imports cannot be renamed or captured easily, the utility names/proofs that are created with new inductive types (like for injection etc) are hard to discover.
When learning a new mathy system I am usually very pedantic and while I am sure that these default were chosen intelligently and with consideration I would have liked if the system was more easily discoverable as a new user
You don't understand the problem. If we encounter aliens, they would likely make a law to protect them. In the situation I came up with, this is their first encounter with us, and they would NOT be protected.
You are very optimistic that they will be considered animals. For example they would have to live on organic matter. And they would have to have a spine to get more protection since living things with a spine are considered more valuable (Wirbeltiere).
GROK (And using all the Roman law principles on what German law is based):
Nullum crimen, nulla poena sine lege (Art. 103 Abs. 2 Grundgesetz + § 1 StGB) is the decisive wall that the prosecution would smash into in a real first-contact case under current German law. This principle has four sub-requirements (all must be fulfilled for a conviction):
Lex scripta – there must be a written statute → Yes, §§ 211, 212 StGB exist.
Lex certa – the statute must be sufficiently precise → “Mensch” is precise if you are Homo sapiens. It is not precise (in fact completely indeterminate) when the victim is an unknown extraterrestrial species.
Lex stricta – no punishment by analogy, no extension to the detriment of the defendant → This is the killer. → Extending the word “Mensch” in §§ 211/212 to include extraterrestrials would be a clear case of forbidden analogy that worsens the legal position of the accused. → German courts are constitutionally barred from doing this in criminal law (unlike in civil law or constitutional law, where they sometimes stretch concepts to protect victims).
Lex praevia – the law must have existed before the act → Also fulfilled, but irrelevant here.
My point is that is a shallow and not especially productive discourse. Companies respond to market incentives. If they have to compete for their market share they'll do stuff consumers want. If they don't because they have no competition, they'll focus on maximizing their profit margins at the expense of their customers, suppliers and everyone else.
These responses to incentives are in the DNA of every corporation and any solution which ignores that will fail. Competition for the consumer's dollar is the key and what you need to promote. These are basic economic principles that go all the way back to Adam Smith, a lot of problems would be solved if more people were aware of their significance and considered restoring competition to markets where it has been eliminated a main function of our government.
Many CEOs are either paid by mythical "shareholder value" or beholden to it in the shape of a board, if they tried to go the valve route they would likely get replaced too soon for the benefits to materialize
> In most function vector spaces you encounter in mathematics, you can not say what the value of a function at a point is. They are not defined that way.
That is because they are not vector spaces of function but a quotient of one
Unless the maintainers are incompetent or uncooperative this does not feel like a good strategy. It is a good strategy on Google's side because it is easier for them to manage
This program discloses security issues to the projects and only discloses them after they have had a "reasonable" chance to fix it though, and projects can request extensions before disclosure if projects plan to fix it but need more time.
Google runs this security program even on libraries they do not use at all, where it's not a demand, it's just whitehat security auditing. I don't see the meaningful difference between Google doing it and some guy with a blog doing it here.
Great, so Google is actively spending money on making open source projects better and more secure. And for some reason everyone is now mad at them for it because they didn't also spend additional money making patches themselves. We can absolutely wish and ask that they spend some money and resources on making those patches, but this whole thing feels like the message most corporations are going to take is "don't do anything to contribute to open source projects at all, because if you don't do it just right, they're going to drag you through the mud for it" rather than "submit more patches"
Why should Google not be expected to also contribute fixes to a core dependency of their browser, or to help funding the developers? Just publishing bug reports by themselves does not make open source projects secure!
It doesn't if you report lots of "security" issues (like this 25 years old bug) and give too little time to fix them.
Nobody is against Google reporting bugs, but they use automatic AI to spam them and then expect a prompt fix. If you can't expect the maintainers to fix the bug before disclosure, then it is a balancing act: Is the bug serious enough that users must be warned and avoid using the software? Will disclosing the bug now allow attackers to exploit it because no fix has been made?
In this case, this bug (imo) is not serious enough to warrant a short disclosure time, especially if you consider *other* security notices that may have a bigger impact. The chances of an attacker finding this on their own and exploiting it are low, but now everybody is aware and you have to rush to update.
> This is a bug in the default config that is likely to result in RCE, it doesn’t get that much worse than this.
Likely to get RCE? No. Not every UAF results in a RCE. Also, someone would have to find this and it's clearly not something you can easily spot from the code.
Google did extensive fuzzing to discover it.
The trade off is that Ffmpeg had to divert resources to fix this, when the chance it would have been discovered independently is tiny, and exploited even tinier.
The bug exists whether or not google publishes a public bug report. They are no more making the project less secure than if some retro-game enthusiast had found the same bug and made a blog post about it.
Publishing bugs that the project has so that they can be fixed is actively making the project more secure. How is someone going to do anything about it if Google didn’t do the research?
Did you see how the FFMPEG project patched a bug for a 1995 console? That's not a good use for the limited amount of volunteers on the project. It actively makes it less secure by taking away from more pertinent bugs.
The codec can be triggered to run automatically by adversarial input. The irrelevance of the format is itself irrelevant when ffmpeg has it on by default.
Publicizing vulnerabilities is the problem though. Google is ensuring obscure or unknown vulnerabilities will now be very well known and very public.
This is significant when they represent one of the few entities on the planet likely able to find bugs at that scale due to their wealth.
So funding a swarm of bug reports, for software they benefit from, using a scale of resources not commonly available, while not contributing fixes and instead demanding timelines for disclosure, seems a lot more like they'd just like to drive people out of open source.
I think most people learned about this bug from FFmpeg's actions, not Google's. Also, you are underestimating adversaries: Google spends quite a bit of money on this, but not a lot given their revenue, because their primary purpose is not finding security bugs. There are entities that are smaller than Google but derive almost all their money from finding exploits. Their results are broadly comparable but they are only publicized when they mess up.
> so Google is actively spending money on making open source projects better and more secure
It looks like they are now starting to flood OSS with issues because "our AI tools are great", but don't want to spend a dime helping to fix those issues.
According to the ffmpeg maintainer's own website (fflabs.eu) Google is spending plenty of dimes helping to fix issues in ffmpeg. Certainly they're spending enough dimes for the maintainers to proudly display Google's logo on their site as a customer of theirs.
Yes and if you look on ffmpeg’s site you’ll find a link where they promote hiring their devs independently as consultants for ffmpeg work. Note the names of those maintainers. Now go to fflabs.eu, observe that they are an ffmpeg consulting firm, scroll down on the main page and observe the Google logo among their promoted list of customers. Now click on the “team” link and check out the names of the people that run fflabs. Notice that they are some of the very same people listed in the ffmpeg main site. Ergo Google pays ffmpeg developers to work on ffmpeg.
> Note the names of those maintainers. Now go to fflabs.eu
> Now click on the “team” link and check out the names
Quite an investigative work you've done there: some maintainers may do some work that surely... means sonething?
Meanwhile actual maintainer actually patching thousands of vulnerabilities in ffmpeg, including the recent ones reported by Google:
--- start quote ---
so far i got 7560€ before taxes for my security work in the last 7 months. And thats why i would appreciate that google, facebook, amazon and others would pay me directly. Also that 7560 i only got after the twitter noise.
The user is vulnerable while the problem is unfixed. Google publishing a vulnerability doesn't change the existence of the vulnerability. If Google can find it, so can others.
Making the vulnerability public makes it easy to find to exploit, but it also makes it easy to find to fix.
If it is so easy to fix, then why doesn't Google fix it? So far they've spent more effort in spreading knowledge about the vulnerability than fixing it, so I don't agree with your assessment that Google is not actively making the world worse here.
I didn't say it was easy to fix. I said a publication made it easy to find it, if someone wanted to fix something.
If you want to fix up old codecs in ffmpeg for fun, would you rather have a list of known broken codecs and what they're doing wrong; or would you rather have to find a broken codec first.
What a strange sentence. Google can do a lot of things that nobody can do. The list of things that only Google, a handful of nation states, and a handful of Google-peers can do is probably even longer.
Sure, but running a fuzzer on ancient codecs isn't that special. I can't do it, but if I wanted to learn how, codecs would be a great place to start. (in fact, Google did some of their early fuzzing work in 2012-2014 on ffmpeg [1]) Media decoders have been the vector for how many zero interaction, high profile attacks lately? Media decoders were how many of the Macromedia Flash vulnerabilities? Codecs that haven't gotten any new media in decades but are enabled in default builds are a very good place to go looking for issues.
Google does have immense scale that makes some things easier. They can test and develop congestion control algorithms with world wide (ex-China) coverage. Only a handful of companies can do that; nation states probably can't. Google isn't all powerful either, they can't make Android updates really work even though it might be useful for them.
you'd assume that a bad actor would have found the exploit and kept it hidden for their own use. To assume otherwise is fundamentally flawed security practice.
which bad actors would have more of, as they'd have a financial incentive to make use of the found vulnerabilities. White hats don't get anything in return (financially) - it's essentially charity work.
In this world and the alternate universe both, attackers can also use _un_published vulnerabilities because they have high incentive to do research. Keeping a bug secret does not prevent it from existing or from being exploited.
When learning a new mathy system I am usually very pedantic and while I am sure that these default were chosen intelligently and with consideration I would have liked if the system was more easily discoverable as a new user
reply