So, other than the obvious writing things in #C in the 21st century, how did #Google fuck-up on the #webp implementation?
Conversation
Notices
-
LisPi (lispi314@mastodon.top)'s status on Monday, 02-Oct-2023 14:46:27 JST 
LisPi
-
tsoifan1997 (sysrq@lab.nyanide.com)'s status on Monday, 02-Oct-2023 14:46:19 JST 
tsoifan1997
@hayley @lispi314
Literally.Machismo repeated this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 14:46:19 JST 
pistolero :thispersondoesnotexist:
@sysrq @hayley @lispi314 What's OP? Can't see it, mastodon.top is clearly dildos of some sort. -
Hayley (hayley@social.applied-langua.ge)'s status on Monday, 02-Oct-2023 14:46:26 JST 
Hayley
@lispi314 just don't write bugs bro git gud /j -
this ad CAN be blocked, bitch (kirby@lab.nyanide.com)'s status on Monday, 02-Oct-2023 14:46:45 JST 
this ad CAN be blocked, bitch
@lispi314 @sysrq cc @p Machismo repeated this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 14:46:45 JST
pistolero :thispersondoesnotexist:
@kirby @lispi314 @sysrq C is a delightful language. † top dog :pedomustdie: likes this. -
this ad CAN be blocked, bitch (kirby@lab.nyanide.com)'s status on Monday, 02-Oct-2023 14:46:46 JST
this ad CAN be blocked, bitch
@lispi314 cc @sysrq @p @everyone who writes c -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 14:57:16 JST
pistolero :thispersondoesnotexist:
@m0xEE @kirby @lispi314 @sysrq
> Does anyone of you use WebP for any other purposes except for posting it on the Web?
I don't use it for anything besides seeing shit that people haven't bothered to convert to a good format yet.† top dog :pedomustdie: likes this. -
m0xEE (m0xee@breloma.m0xee.net)'s status on Monday, 02-Oct-2023 14:57:17 JST 
m0xEE
@lispi314
I think C has little to do with it, the biggest problem is that while it's being considered "an open standard" by many, it's not that — there is only one major implementation and it's Google's own implementation, others have little to no interest contributing to it as it will remain Google's implementation in any case.
So having sole implementation that is used, in addition to obviously very popular Chrome itself, it's used by a lot of software. If that software has anything even remotely to do with images — why don't we add WebP support, right? So in addition to all the browsers, this shit is now everywhere.
Why the fuck down ffmpeg in my system depends of libwebp? I don't know. Does anyone of you use WebP for any other purposes except for posting it on the Web? I don't and I doubt that anyone does — it's advantages over existing formats is negligible for personal use, but it still makes sense for Google as they serve petabytes of data and even 10% makes a huge difference.
I might have digressed, but anyway — as it is used in software that is present virtually in every system and in addition to that, it's the same implementation, it makes libwebp a very attractive target for attacks. Monoculture is never good. These sole implementtion is closely studied by those, who intend to exploit it — this is where C factor might come into play.
Another problem is that Google doesn't give a fuck about how and where their library is used. Because they only care about how it's being used in Chrome — Chrome offers some means of isolation, if one tab gets compromised, others are safe. And to me it looks like that is exactly what they think: "Oh, it's not that bad, it's isolated!" And that is true, and same is true for Android. But is it isolated in ImageMagic — no, it's not. And when this vulnerability has hit the news, that is exactly what one person came up with in comments on HackerNews: let's isolate/containerize it for ffmpeg and ImageMagic too. That's insane! Nowadays it's assumed that everything is isolated/containerized — but in reality it's not. And it shouldn't be!
@kirby @p @sysrqMachismo repeated this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 15:47:04 JST
pistolero :thispersondoesnotexist:
@sysrq @hayley @lispi314 Well, this got me blocked. † top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Monday, 02-Oct-2023 15:47:17 JST 
† top dog :pedomustdie:
@p @sysrq @lispi314 @hayley :alex_lol: Machismo repeated this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 02-Oct-2023 16:12:02 JST
pistolero :thispersondoesnotexist:
@dcc @hayley @lispi314 @sysrq Ah, it was probably just that hayley realized she hadn't blocked me already. We go way back.
taking_out_fse.png† top dog :pedomustdie: likes this. -
mia (mia@freespeechextremist.com)'s status on Monday, 02-Oct-2023 16:31:28 JST 
mia
@p @m0xEE @kirby @lispi314 @sysrq
Having a cron job to split webp into frames and gif multi / png single frames has been very nice.
> But it's sub-optimal.
t. Google software fans.† top dog :pedomustdie: likes this. -
m0xEE (m0xee@breloma.m0xee.net)'s status on Monday, 02-Oct-2023 19:45:46 JST
m0xEE
@p
Yeah, same here! Even in Firefox I have them disabled with image.webp.enabled=false, same for VP9 with media.mediasource.vp9.enabled and probably some other Google shit that I don't even remember of.
And there've been only a few cases when I cared enough to actually download the file, convert it manually and see what's in it. Most of the time I just ignore them :marseysmug2:
Problem is, I've been encountering these more and more often in the wild as of recent. I suspect, that one of the authors of some Fedi software like Firefish has decided that saving a few kilos is worth it and implemented an automatic conversion to WebP — I just can't imagine that a lot of people have decided to adopt it all of a sudden, especially with all those vulnerabilities discovered.
I remember when they did it in Nitter and I had to patch this shit out myself for my instance. Why people decide to adopt it is beyond me — like I said earlier, the advantage is negligible in absolute most cases, even if it's only a few lines of code, the added complexity is not worth it. And I don't even see a lot of interest from developers TBH, there a just a few people, who run around submitting these patches and devs usually just go with it because: "Why not? Looks good on paper!"
Anyway, I should probably start a media proxy or something, that would do the conversion for me. Or maybe I should just keep ignoring WebP images — haven't decided yet :marseylaughwith:
@kirby @sysrq @lispi314† top dog :pedomustdie: likes this. -
laurel (laurel@freespeechextremist.com)'s status on Monday, 02-Oct-2023 21:33:08 JST 
laurel
@m0xEE @kirby @lispi314 @p @sysrq
(schizo take)
Webp is intentionally vulnerable so that they can push mandatory media signing modeled after ssl certification (c2pa.org, basically digital identity with certification authorities being the issuers).
di.png† top dog :pedomustdie: likes this. -
† top dog :pedomustdie: (dcc@annihilation.social)'s status on Tuesday, 03-Oct-2023 10:29:39 JST
† top dog :pedomustdie:
@laurel @m0xEE @p @kirby @sysrq @lispi314
-
All 076萌SNS content and data are available under the 
