Microsoft employee:
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help
Maintainer’s comment on twitter:
After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead.
This is unacceptable.
And further:
The lesson from the xz fiasco is that investments in maintenance and sustainability are unsexy and probably won’t get a middle manager their promotion but pay off a thousandfold over many years.
But try selling that to a bean counter
MIT license to make money is bad because of this. You shouldn’t make money or ask me for support in first place if you arent sharing earnings bitch. This should be forbidden by law because software is given AS IS.
What, they just asked, they didn’t say they were entitled to it.
Maybe OP didn’t share enough context, because this whole thing looks like a big over-reaction on their part.
- There’s no accusation of misusing the license, so they’re using it properly
- there’s a bug tracker, which they used for a bug report
- OP demanded money when there was no expectation of it
So what’s going on here? With the information given, Microsoft did what they should have and OP is acting the huge asshole
The rest of the tweets definitely don’t make him appear as less of a self-righteous ass.
This actually made me cringe:
Your weekly reminder that FFmpeg powers all online video - Youtube, Facebook, Instagram, Disney+, Netflix etc etc, all run FFmpeg underneath
I think what set them off was the MSFT guy saying “this is high priority”.
lmao the “high priority bug” is just a user error
I wonder if these trillion dollar companies offer support contracts for astroturfing on social media on their behalf. I can’t think of any other way so many people are supporting their sociopathic attitude.
there are companies out there that do this kind of thing.
Cognitive dissonance.
For a lot of people, either they accept “this trillion dollar corporation that controls all my computers, and the programming languages I use, and my code editor, is evil”. Or they accept “this trillion dollar company does lots of good things for me and is good”.
One is easier to accept than the other.
Ffmpreg?
Haifong inprurr
Kek
11 months ago
The tweet is from today. The ffmpeg team felt like it needed to be said.
Maybe Microsoft responded just now to their inquiry
Thanks for additional context. I don’t open Twitter links anymore because 3/4 of the time the link doesn’t work after Musk made changes
The Elon Musk of Twitter or the Elon Musk in the FFMPEG ticket?
You can try to read through https://archive.today . It’s a site archiving site, it has a couple of tricks to evade such restrictions. Not the most private one… but better than visiting twitter directly.
I didn’t know that site worked for Twitter. I’ve just been using Nitter.
Fucking suits. They don’t even care about the bottom-line, they just care about their own salary and benefits.
Pay for support or get fucked M$
It’s so ridiculous that this isn’t even brought up:
The Command you provided worked fine. Thank you so much for the help! Really appreciated! We are going to proceed to make a release today and test with customers. Will post the updates here.
Gotta love being a forced beta tester… I mean customer.
isn’t that what a canary release essentially is?
If the live version is already broken, there isn’t much to lose deploying the fix as soon as possible. Not sure what else they could have done here.
Yup. Shits fucked. Do what you can. Lol
There are likely other changes made since they released that version to their customers, so the risk is other things in addition to the current thing get broken.
There is zero chance that they’ll just build from the latest main branch and release that tomorrow. Or that whatever build they make goes directly to general distribution.
They’ll make a build from the last release plus this patch and send it to a few customers who have complained. Then they’ll think about making a release with this and perhaps other bug fixes.
If the Microsoft person making this request can’t update a command line switch, I seriously doubt they will try to build from source with a patch.
That does kind of admit what we all suspected about Microsoft’s QA since they fired the whole testing team in 2014.
Meanwhile Google has always just forced you to go to Google Groups to log bugs in production software.
Man, must be rough to be an MS engineer and do work in public. Ignoring the financial aspect, can’t say I’ve never had a similar ticket and resolution.
Hilariously the issue was just a setting change in the update, that you can easily change via a command option. They saw thing didn’t work, and didn’t read the change log at all before asking to pay a one time fee to guarantee it be maintained for them.
So ffmpeg gets a few thousand dollars for such a simple answer/solution? Sounds good to me?
The problem is that Microsoft wants to pay that for a permanent “never maintain in a way that breaks caption decoding in any default behaviour we use” with that one time payment.
Its a quick fix on Microsofts end to change a quick flag in ffmpeg. It’s also quick on their end to maintain a fork that only changes the default. One time payments for maintenance make open source projects like ffmpeg subject to fail.
Yes, they should have read the update notes. But I don’t see much in the way of documentation regarding the data_field cli option in their documentation even now.
Hi, This is a high priority ticket and the FFmpeg version is currently used in a highly visible product in Microsoft. We have customers experience issues with Caption during Teams Live Event. Please help,
Use -data_field first as decoder option in CLI. Default value was changed from first to auto in latest FFmpeg version. Or modify AVOption of same name in API for this decoder.
Thanks @Elon for the reply, This is the command we are currently using: ffmpeg.exe -f lavfi -i movie=flvdecoder_input223.flv[out+subcc] -y -map 0:1 ./output_p.srt
I will be looking to see any updates in the FFmpeg documentation. Can you please elaborate and provide pointers the right decoding options or the right FF command er can use. Thank you!
ffmpeg.exe -data_field first -f lavfi -i movie=flvdecoder_input223.flv[out+subcc] -y -map 0:1 ./output_p.srt
Got that’s fucking brutal. This isn’t even asking them to fix a bug, it’s just basic help-desk shit.
I’m sure Microsoft has some good devs that are a net benefit to the open source projects they use, but this is not one of them.
That’s the level of an intern that has never even seen a command. Imagine not being able to literally cat a string with another string, aka. add -data_field first to a command.
Raymond Chen. Hilariously enough, his best blog posts involve him jumping through hoops for MSFT customers with support contracts.
That, but they couldn’t even insert the advised parameter to the command themselves, instead they had the capacity to basically demand improvement to the documentation, from those “filthy ffmpeg developers”
Lmao even after providing a well explained answer, they still had to manually add the flag to their command for them.
If you’ve ever been forced to use Teams you must already know they scraped the bottom of their talent barrel for the team that works on it… The software is shit, riddled with bugs to the point where at one point I used to only be able to use teams on my browser because the desktop app just decided to never let me access the text chat, and the browser version I would load it would be a white screen and I would have to refresh 3 times for it to load. But at least it worked after those 3 refreshes. And it was exactly 3 refreshes every single time, never 2, never 4, and 5 was right out. It was always without fail 3 refreshes. Whether loading from Firefox, Chrome, or Edge. Fortunately we don’t have too many meetings with people using Teams these days, so I haven’t had to use it in a while, but its easily in my top 5 worst software I’ve been forced to deal with. Maybe Top 3. But its still miles behind Magento. Fuck Magento, just thinking of it right now gets my blood pumping and I refused to work with it ever again about 10 years ago… Fuck Magento. Teams is at least a distant 2nd or 3rd to that. Absolute crap.
There’s a reason Teams is/was shit.
The first teams was written in AngularJS (which is a slow to run resource hog, but fast to develop) wrapped in Electron. It was kind of a minimum viable product, just to build something quickly to get some feedback and stats on what people needed.
The plan was to build a new native version of teams and build it into the next windows while having an web fallback (built on react) for everyone else.
They stopped working on the original teams and started working on the new versions.
They got half-way through working on the native and react versions when suddenly, covid happened.
They couldn’t keep working on the new versions because they wouldn’t be ready for a while, so they had to go back and resume development on the old one, introducing patch after patch to quickly get more features in there (like more than 2 webcam streams per call).
Eventually covid subsided and they were able to resume development on the new teams versions.
Windows 11 launched with a native teams version (which has less features but runs super quick), and the new react based teams (which can now be downloaded in a webview2 wrapper) has been in open beta since late last year (if you’ve seen the “Try the new Teams” toggle, then you’ve seen this). The React+Webview2 teams will replace the AngularJS+Electron version as the default on July 7th.
“New Teams” has been so painful for me, but if I understand correctly that is because my work is still on Windows 10. The Windows 11 version works better than the React version?
The windows 11 teams runs better, but if you’re using a school or work account, you need to use the old AngularJS+Electron version, or the new React+Webview2 version.
So for the time being, the Windows 11 teams is more catered for personal use only. It’s kind of like a modern reboot of Microsoft’s old MSN Messenger. It was included in Windows 11 (rebranded as “Chat”) but it’s been unbundled from Windows 11 installs and I think rebranded again. But not having the school/work account support means not a lot of people use it.
The transition between the AngularJS+Electron version and the React+Webview2 versions is happening now. At some point soon, anyone who is running an OS too old to run the new teams will be forced to use the browser version.
So after their transition, we’ll have to wait and see if they add the school/work account support to the native version because everyone using teams right now only uses those accounts.
I’m convinced it’s the whole B-2-B software world at this point. The shit starts at MS (or any of the FAANGS) and rolls downhill to everyone else.
We’re working on a huge Dynamics 365 thing at work, and one of the third parties we use for automated testing is just… the product seems barebones, is clearly built on top of open source automated testing tool, and is riddled with indicators that barely anyone works there, from the AI help bot to the “submit a ticket and we’ll assign it eventually” approach to all other interactions.
I looked them up on Linked In and 12 people work there. 8 of them have C-suite or VP titles, and 4 of them are interns from a local university. This is the state of all modern tech: a board room full of investors, a website, and a product barely glued together from FOSS parts by interns. If you wonder why everything feels like a scam now it’s because it is.
Found the guy who created the FFMpeg ticket on LinkedIn. Job title: “Principal software engineer”, saying they are “A detailed, analytical Software Engineer with Eighteen years of experience”. 18 years?! Fuck me dead…
Name and shame!
I wouldn’t be surprised to find out it’s Atlassian/JIRA
We’re working on a huge Dynamics 365 thing at work
So I had two interviews at a Dynamics 365 partner, until they ended up restructuring internally and said they’d “get in contact if they have need for new devs”… Then later I interviewed at an Odoo partner, got the job and ya know what? I’m glad I didn’t get the Dynamics 365 partner job. Not only is our core product FOSS, it actually feels pretty nice as an end user too.
You probably can’t change things at your job, which sucks, but anyone looking at ERP solutions should probably consider Odoo as an option.
So what do microsoft’s crack teams working at? typescript? xbox? vscode? Because those are the smoothest microsoft products I tried so far. The rests seem to get the bottom of the barrel these days.
You got this dumbass at MS and then you’ve got the other MS guy who’s a god damn hero that very well might have saved the world atm lmao
I highly doubt that he works at Microsoft since his username is Elon Musk.
Jon Skeet? He’s my hero, but he hasn’t worked at MS for quite some time I believe.
He’s talking about Andres Freund, who uncovered the OpenSSL backdoor that was slipped into liblzma from the xz malicious maintainer. Dude saw a valgrind error and a function with a fixed runtime was taking too long and using too much CPU and reversed out and saved a major ssh backdoor from going upstream as Fedora was going to release it just days later.
I’m sure Microsoft has some good devs that are a net benefit to the open source projects they use, but this is not one of them.
Found the guy who created the FFMpeg ticket on LinkedIn. Job title: “Principal software engineer at Microsoft”, saying they are “A detailed, analytical Software Engineer with Eighteen years of experience”. 18 years?! Fuck me dead…
I’m sure Microsoft has some good devs
I’m sure they do too, but I’ve been surprised many times by the former coworkers I’ve learned have ended up working for Microsoft. To put it politely, they were generally not the best programmers I’ve ever worked with.
It’s basically the new IBM.
after looking at the ticket myself i think the relevant things IMHO are:
- a person filed a bug report due to not seeing what changes in the new version caused a different behaviour
- that person seemed pushy, first telling the dev where patches should be sent to (is this normal? i guess not, better let the dev decide where patches go or -in this case- if patches are needed at all), then coming up with ceo style wordings (highly visible, customer experience of untested but nevertheless released to live product is bad due to this (implicitly “your”) bug)
- pushiness is counterparted by “please help”
- free-of-charge consulting was given by the one pointing to changes likely beeing visible in changelog (i did not look though) but nevertheless it was pointed out to the parameter which assumes RTFM (if docs were indeed updated) that a default value had changed and its behavior could be adjusted by using that given parameter.
up to there that person -belonging to M$ or not (don’t know and don’t care) - behaved IMHO rather correctly, submitting a bug report for something that looked like it, beeing a bit pushy, wanting priority, trying to command, but still formally at least “asking” for help. but at that point the “bug” seemed to have been resolved to me, it looks like the person was either not reading the manual and changelog, or maybe manual or changelog lacks that information, it was stated later that documentation could not be found but that was not reacted to despite every other thing got answered i guess that person just did not really read neither changelog nor manual.
instead - so it seems to me - that person demanded immediate and free-of-charge consulting of how exactly the switch should be used to work in that specific use case which would imply the dev looks into the example files, maybe try and error for himself just so that that person does not need to neither invest the time to learn use the software the company depends on, nor hire a consultant to do the work.
i think (intentional or not) abusing a bug tracker for demanding free-of-charge enduser consulting by a dev is a bad idea unless one wants(!) to actively waste the precious time of the dev (that high priority ticket for the highly visible already live released product relies on) or has even worse intentions like (worst case scenario thinkable):
- uploading example files with exploits in them, pointing to the exact versions that include the RCE vulnerability that sample file would abuse and the “bug” was just reported cause it fits the version needed for exploitation and pressure was made by naming big companies to maybe make the dev run a vulnerable version on it on his workstation before someone finds out, so that an upstream attack could take place directly on the devs workstation. but thats just creating a fictive worst case scenario.
to me this clearly looks like a “different culture” problem. in companies where all are paid from basically the same employer, abusing an internal bug tracker for quick internal consulting would probably be seen as just normal and best practice because the dev who knows and is actually working on the code is likely to have the solution right at hand without thinking much while the other person, who is in charge of quick fixing an untested but already live to customers released product, does not have sufficient knowledge of how the thing works and neither is given the time to learn or at least read changelogs and manual nor the time to learn the basics of general upstream software culture.
in companies the https://en.m.wikipedia.org/wiki/Peter_principle could be a problem that imho likely leads to such situations, but this is a guess as i know nobody working there and i am not convinced that that person is in fact working for the named company, instead in that ticket shows up a name that i would assume to be a reason to not rely too much about names in the tickes system always be realnames.
the behaviour that causes the bad postings here in this lemmy thread is to me likely “just” a culture problem and that person would be advised well if told to learn to know the open source culture, netiquette etc and learn to behave differently depending on to who, where and how they communicate with, what to expect and how to interact productively to the benefit of their upstream too, which is the “real price” all so often in open source. it could be that in the company that rolled out the untested product it is seen to be best practice to immediately grab the dev who knows a software and let him help you with whatever you can’t on your own (for whatever reason) whenever you manage to encounter one =]
i assume the pushyness could likely come from their hierarchy. it is not uncommon that so called leaders just create pressure to below because they maybe have no clue of the thing and not want to gain that clue, but that i cannot know, its just a picture in my head. but in a company that seems to put pressure on releasing an untested product to customers i guess i am not too wrong with the direction of that assumption. what the company maybe should learn is that releasing untested and/or unfinished products to live is a bad habit. but i also assume that if they wanted to learn that, they maybe would have started to learn it like roundabout 2 decades ago. again, i do not know for what company that person works -or worked- for, could be just a subcontractor of the named one too. and also could be that the pushyness (telling its for m$, that its live, has impact to customers etc) was really decided by someone up the latter who would have literally no experience at all on how to handle upstream in such situations. hierarchies can be very dysfunctional sometimes and in companies saying “impact to customers” sometimes is likely the same as saying “boss says asap”.
what i would suggest their customers (those who were given a beta version as production ready) should learn is that when someone (maybe) continously delivers differently than advertised, that after some few times of experiencing this, the customer would be insane when assuming that that bad behaviour would vanish by pure hope + throwing money into hands where money maybe already didn’t help improving their habits for assumingly decades. And when feeding everhungry with money does not resolve the problems, that maybe looking towards those who do have a non-money-dependant grown-up culture could actually provide more really usable products. Evaluation of new solutions (which one would really be best for a specific usecase i.e.) or testing new versions before really rolling them out to live might be costly especially when done throughout, but can provide a lot of really high valueable stability otherwise unreachable by those who only throw money at shareholders of brands and maybe rely on pure hope for all of the rest. Especially when that brand maybe even officially anounced to remove their testing department ;+) what should a sane and educated customer expect then ? but again to note, i do not know which companies really are involved and how exactly. from the ticket i do not see which company that person directly works for, nor if the claim that m$ is involved is a fact or just a false claim in hope for quicker help (companies already too desperate to test products before live could be desperate again in need for even more help when their bad habits piled up too long and begin falling on their heads)
UPDATES: smaller corrections i overlooked and:
amazingly despite demanding free-of-charge consulting service through a bug report without even a bug present, that person just got help. it seems now that even trillion dollar companies can’t afford to create usable products or fulfill their promises made to customers without the help of grown-up open source culture the worldwide IT securely relies upon. the company that once called open source a “cancer” seems to not be able here to achieve success without the superior OSS culture. must be poor people there leading a trillion dollar company that despite more money one could count in a lifetime seems to be unable to secure the companies success fulfill promises and give their software stability without the desperate need of voluntary free help from the cultured non-profit world who makes the world a better place =) maybe money just cant fix bad leadership bad company culture or even buy stability. by the way that promise “Will post the updates here.” of that person in the ticket seemingly did not get fulfilled up to now (11month so far), should one count that as yet another undulfilled promise of the company involved? wait until it reaches one or 5 years if unfulfilledness? or better ignore such a minor thing? maybe bashing is just not what culture is about. or maybe bashing is just sort of an immune raction of society against those who profit from society by abusing false promises they cant hold and blinding their customers to stay to systems that stay insecure and unstable, need unimaginable amounts of support just to stay up and running und thus binding lots of societies resources to products they can’t even afford fixing by themselves causing huge amount of damages in society year for year for generations while claiming the opposite? maybe
I think you’ve done a fair summary that deconstructed the simple narrative of “evil corporation steals from the poor”. Well, for me it did ;)
to me this clearly looks like a “different culture” problem.
That is a key point. To me it is surprising that a developer of such supposed seniority was not aware of (or doesn’t care about, or is so pushed for time, or just insensitive to?) the culture differences. That surprise made me jump to conclusions, leading to outrage and frustration.
Deep in my soul I believe Microsoft really is an evil corporation that steals from the poor. But in this specific instance, your summary made me think of Hanlon’s razor.
I am confused. I realize this is just a flag change not even a dev problem but PEBKAC, still - in the event of an actual bug, why wouldn’t Microsoft have a dev contribute to the project and fix it instead of just opening a ticket?
why wouldn’t Microsoft have a dev contribute to the project
because fuck you, that’s their thought.
Filling an issue quickly is good etiquette. Then you can discuss in the ticket the best way to solve/work around.
The devs don’t take an issue with the ticket being filed. They’re irritated by one particular reply which sounds like “My million dollar product depends on this bug fix. Please do that for me”. MS isn’t offering a solution. They’re asking for one.
To be fair MS offers an amount for the fix. Most companies just bully the devs instead. However, I don’t think it’s quite fair (though legal) to offer one time payments for a core library that they use.
You assume MS is competent?
@Sibbo I propose a xz style subversion of the code or a dependency, to ensure ffmpeg runs poorly on Windows and Azure.
FFMPEG is a core technology. You literally cannot do anything with video without touching FFMPEG at multiple places in the stack.
The fact that we have billions of dollars of revenue flowing through that software every day, but we rely on VOLUNTEERS to maintain it shows exactly how hollow the whole SV entrepreneur culture really is.
Bunch of fucking posers wouldn’t know performance code if it kicked them in the face.
The fact that we have billions of dollars of revenue flowing through that software every day, but we rely on VOLUNTEERS to maintain it shows exactly how hollow the whole SV entrepreneur culture really is.
Exactly: I’m not mad about important things being run by volunteers – arguably, that’s a good thing because it means project decisions are made uncorrupted by profit motive – but I am mad about the profit being reaped elsewhere on the backs of their free labor.
arguably, that’s a good thing because it means project decisions are made uncorrupted by profit motive
Argue-er here, chiming in. This statement could be interpreted as considering only half of the central relationship of capitalism. (Capitalism isn’t just about deriving profit from the control of surplus, it’s about the relationship between surplus and scarcity. Surplus doesn’t mean shit if no one wants what you have.)
The decisions that volunteers make may not be motivated by the desire/ability to make profit, but they can be (and often are) motivated by the opposite; they have to account for the fact that their volunteer work is labor that isn’t contributing to their survival – aka, their day job. The demands placed on them by their other responsibilities will have to take precedence over the volunteer project.
In practice, this means they have to take shortcuts and/or do less than they would like to, because they don’t have time to devote to it. It’s not exactly the same end product as if it was profit-seeking, since that can tempt maintainers into using dark patterns etc, but they’re similar.
Ideally, they would have all the money they needed, didn’t have to have regular jobs, but also had families/friends/hobbies that would keep them from over-engineering ffmpeg.
To say this in a simpler/shorter way (TD;DR), their decisions can be motivated by the fact that they aren’t making money from it, don’t have enough time or resources to do everything they might want.
(Why is this so long?? I’m bored in the train, gotta kill the time somehow…why not say in 1000 words what I could have said in 100)
@grue @vzq this is such an interesting space. The general public has no idea how much of their software relies on open source code and voluntary community contributions. There have been so many attempts to figure out a way to compensate these maintainers, but it doesn’t seem like anything has really become the defacto solution. Open Collective and Tidelift are the closest things I can think of.
They’re not going to invest in it if they don’t own it, and frankly I’m happy they don’t.
Those same companies tell you that their products that you paid for don’t belong to you. You are just buying a license to use them. Sadly, this asinine concept is spreading even to hardware markets.
I think it’s fair to ask them to take their own bitter pill. They should also invest without owning.
QuickTime has entered the chat
Bunch of fucking posers wouldn’t know performance code if it kicked them in the face.
You mean JavaScript right?
These days it’s all about Python, with AI being the hype and all. JS can at least try to compete.
“A failure to plan on your part does not constitute an emergency on my part.” -Someone hopefully working on ffmpeg.
“A failure to plan on your part does not constitute an emergency on my part.”
Wow now that is a quote I’m going to steal. Wondering if “A failure to understand on your part does not constitute an emergency on my part.” has the same punch or is as relevant… anyway, thanks for sharing!
Does that go for the xz vulnerability too? Wasn’t it a Microsoft dev who discovered that?
In this case, it’s actually Microsofts fault. There is no bug in ffmpeg, Microsoft just didn’t properly use it
the xz vulnerability was done through a superflous dependency to systemd, xz was only the library that was abused to use systemd’s superflous dependency hell. sshd does not use xz, but systemd does depend on it. sshd does not need systemd, but it was attacked through its library dependency.
we should remove any pointless dependencies that can be found on a system to prevent such attacks in future by reducing dependency based attack vectors to a minimum.
also we should increase the overall level of privilege separation where systemd is a good bad example, just look at the init binary and its capability zoo.
The company who hired “the” systemd developer should IMHO start to really fix these issues !
so please hold your “$they have fixed it” back until the the root cause that made the xz dependency level attack possible in the first place has been really fixed =)
Of course pointing it out was good, but now the root cause should be fixed, not just a random symptom that happened to be the first visible atrack that used this attack vector introduced by systemd.
This is gold.
