I am the main developer fixing security issues in FFmpeg. I have fixed over 2700 google oss fuzz issues. I have fixed most of the BIGSLEEP issues. And i disagree with the comments @ffmpeg (Kieran) has made about google. From all companies, google has been the most helpfull & nice

And no, "you have to use asm for performance anyway" is not an excuse, because the security vulnerabilities are almost never in the asm code, they're in the C code that calls it. Keep writing the asm, that's not the problem.

Please don't tag me in programming language flamewars. Expecting volunteer-run projects to always address CVEs quickly is not reasonable. Promoting unsafe languages for popular libraries that have huge attack surface is not responsible. Two things can be true at once.

I've been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so I patched my own key into the backdoor for testing. :-) https://t.co/CvKo3xPRkP

Culture at Google is so dead they don't even bother with their traditional April Fool's Day anymore

How bad it would have been, should the xz backdoor have gone through, is hard to realize.

The xz backdoor is, well, setting a fire under the entire Linux ecosystem... but I'm also so impressed with how it was set up: 2-yr maintainership, oss-fuzz, etc. ...and who knows how long it would've stayed undetected if the injected sshd code ran faster (<600ms) Highlights: