←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 5 comments | 01 Nov 25 20:59 UTC | HN request time: 0.346s | source
1. gnfargbl ◴[01 Nov 25 22:47 UTC] No.45786157[source]
FFmpeg seem to be taking the position that their code must be considered insecure in production unless you pay them for security consulting [1].

On the one hand, that's fine; it's their project, and if attack surface is not a priority for them, or they want to monetise that function, then nobody else has a right to complain.

On the other hand, we have plenty of evidence that untrusted input validation bugs pose a very high risk to end users. So, for as long as this is their policy, FFmpeg code really should not be included in any system where security is at all important. Perhaps we need a "fundamentally unsafe for use" sticker for OSS projects taking this stance?

[1] https://x.com/FFmpeg/status/1984425167070630289

replies(2): >>45786204 #>>45786234 #
2. vreg ◴[01 Nov 25 22:54 UTC] No.45786204[source]
All code should be considered potentially vulnerable, that's why we have so many layers of exploit mitigation from the compiler to the runtime environment to the overall design of the system the code is running in.
3. TZubiri ◴[01 Nov 25 22:58 UTC] No.45786234[source]
> unless you pay them

You can't pay for the software

>"FFmpeg is not available under any other licensing terms, especially not proprietary/commercial ones, not even in exchange for payment"

https://www.ffmpeg.org/legal.html

replies(2): >>45786275 #>>45786346 #
4. ◴[01 Nov 25 23:02 UTC] No.45786275[source]
5. gnfargbl ◴[01 Nov 25 23:11 UTC] No.45786346[source]
I edited my post to make the nature of the requested payment clearer.