RE: https://furry.engineer/@soatok/115896145424737173
As a professional source code reviewer, I gotta agree with “We cannot overstate the extent to which just reading the OpenSSL source code has become miserable.” The answer to “how does OpenSSL—” is always “I don’t know and I don’t have six months to find out.” This is not true of alternative libraries with the same functionality.
@0xabad1deaabadidea I feel the same when I have to explain that FFMPEG rawdogging assembly is not the "performance" tradeoff that people should look at and go "holy based".
They openly admit to lying about ABI-stability when they know damn well they re-shuffle enum values between random updates, why the fuck would anyone trust them to be able to maintain assembly code with instructions that look like passwords.
The code is already unreadable, the specs for it are buried in NDAs and patent hellholes, which doesnt matter because FFMPEG is very proud to diverge from specs. That codebase does not need to include assembly to become a security nightmare and going "see no evil hear no evil" while closing your eyes and plugging your ears doesn't fucking work because some fucker is 100% gonna speak a lot of evil. Media files are historically one of the most reliable things to look into if you're looking for a 0-click 10/10 RCE.
It is impossible to trust a review of projects like these, I don't care how skilled and certified the team signing off on it was, if they don't find anything they did not understand what they were reading and one day someone on the red team will do a better job than them.
If you have a fediverse account, you can quote this note from your own instance. Search https://raru.re/users/hellpie/statuses/115897866553660995 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
