even if there are no blobs in source, i feel like a program flow that one does not understand (especially the abundance of crypto functions with 30-line ifdef chains and various variables with matrixes that one might not be familiar with) leaves enough room for something sketchy to be going on eventually. these projects are maintained but it's hard to say whether the maintainers are playing the long game. i'm not saying that bento4 is sus, it very well seems legitimate, but i can't be sure because of the complexity.
i could have a vm that receives data and then sends back the result, but if the program was malicious is there anything stopping the program from making the output malicious too? maybe it's a bit too paranoid but it seems like in a scenario where bento4/gpac were attempting malicious stuff, they could do something to malform the video into output that triggers when ffmpeg/mpv/vlc plays it. i guess that applies to any file online though, as i don't know how it was created.
for my use case the mp4box from gpac was enough as it can do decryption too. the documentation just kinda sucks.
i went to a mailing archive on debian when researching gpac and the consensus was "it's vulnerable, let's drop it", so no patent issues:
https://lists.debian.org/debian-lts/2022/04/msg00018.html
https://tracker.debian.org/pkg/gpac
arihi :bocchi_arch: :naima_padoru: :blobcatchristmastree: :ibrs2: :ene: :adorizz: :ruby_happy:
npub188…jglkl
2026-03-27 23:20:12 UTC
in reply to nevent1q…q362
Author Public Key
npub1887fe0nagc0c5dctz6t7w70sd36k96zka4lcwga8lmfn97wct02qgjglklSeen on
wss://relay.momostr.pinkPublished at
2026-03-27 23:20:12 UTCEvent JSON
{
"id": "b5082dce33cfc783d0e06b5b9c73e064a02c2f2bc7b70c6e23516bb2826c088f",
"pubkey": "39fc9cbe7d461f8a370b1697e779f06c7562e856ed7f8723a7fed332f9d85bd4",
"created_at": 1774653612,
"kind": 1,
"tags": [
[
"e",
"ec1e86541cc84a2b7a2c74deed91d49f9f1f9725279b3242510e6d8f0730ff58",
"",
"reply",
"8ab44a84fb757fea3c983e68a9bcc8e331fa49ed99cfcfd06a4499d542eae93c"
],
[
"p",
"8ab44a84fb757fea3c983e68a9bcc8e331fa49ed99cfcfd06a4499d542eae93c"
],
[
"p",
"39fc9cbe7d461f8a370b1697e779f06c7562e856ed7f8723a7fed332f9d85bd4"
],
[
"e",
"9d376ad824cb478dc1f614c6b073975f3bb7ddb8dcaed0be14709a037ee458b7",
"",
"root",
"39fc9cbe7d461f8a370b1697e779f06c7562e856ed7f8723a7fed332f9d85bd4"
],
[
"proxy",
"https://blackstar.cafe/objects/f31ecdc1-7c3e-49bd-b6fd-b556e89d7138",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://blackstar.cafe/objects/f31ecdc1-7c3e-49bd-b6fd-b556e89d7138",
"pink.momostr"
],
[
"-"
]
],
"content": "even if there are no blobs in source, i feel like a program flow that one does not understand (especially the abundance of crypto functions with 30-line ifdef chains and various variables with matrixes that one might not be familiar with) leaves enough room for something sketchy to be going on eventually. these projects are maintained but it's hard to say whether the maintainers are playing the long game. i'm not saying that bento4 is sus, it very well seems legitimate, but i can't be sure because of the complexity.\r\n\r\ni could have a vm that receives data and then sends back the result, but if the program was malicious is there anything stopping the program from making the output malicious too? maybe it's a bit too paranoid but it seems like in a scenario where bento4/gpac were attempting malicious stuff, they could do something to malform the video into output that triggers when ffmpeg/mpv/vlc plays it. i guess that applies to any file online though, as i don't know how it was created.\r\n\r\nfor my use case the mp4box from gpac was enough as it can do decryption too. the documentation just kinda sucks.\r\n\r\ni went to a mailing archive on debian when researching gpac and the consensus was \"it's vulnerable, let's drop it\", so no patent issues:\r\nhttps://lists.debian.org/debian-lts/2022/04/msg00018.html\r\nhttps://tracker.debian.org/pkg/gpac",
"sig": "c70132ead4a8c19259dd042a5e75a8221f869e085a3f34fcdff2c46887ab116deaa8db534654035a173c574b90327226563a2120c2d22c93abb4360b91729fdd"
}