Comment by jiggawatts
9 hours ago
Sorry, but that is an insanely defeatist attitude blended with a hint of blaming users for wanting features.
Image decoders are pure functions and all should have been rewritten as 100% safe Rust years ago.
Users need functionality.
It’s up to us to figure out how to provide that safely.
Saying to users they shouldn’t have those features isn’t sage advice, it’s admitting failure.
The thing is, nobody's happy just previewing jpegs and pngs.
Before you know it, people want to preview SVGs, PDFs, video, HTML and so on.
And to do that properly means you've got to support obscure formats like JBIG2 and CCITT Fax. Malicious vector images with a billion elements to render. XML that lets one file embed another.
And good luck getting the budget to re-implement them all from scratch in a better language, when the only business value the feature delivers is a postage-stamp-sized preview image.
Perfection is the enemy of the perfectly good.
And let's be honest, you'll have what, 0.0001% of users who want to preview CCITT in 2026? Less? Probably less.
The business value is reduced attack surface which is a marketable attribute. Seems like the exact type of thing Apple would do.
Most of these are solved problems to one degree or another. Web browsers have generally switched over to decoding legacy unsafe formats like PDF using safe managed languages, typically JavaScript.
> JBIG2 and CCITT Fax
Since performance isn't such a critical concern with obscure legacy formats, it really wouldn't be much more than a day or two of work for a competent developer with AI agent tooling to convert an existing decoder to safe Rust.
Meta set nearly a hundred billion dollars on fire for a total failure that everybody saw coming, a trillion dollars is what the current AI investment crazy is pouring into concrete and TSMC chips, but... a couple of days for a developer is asking too much!?