←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 2 comments | 01 Nov 25 20:59 UTC | HN request time: 0s | source
Show context
GaryBluto ◴[01 Nov 25 21:49 UTC] No.45785725[source]
Rather unprofessional for an official project twitter account to complain about "slop"

> We take security very seriously but at the same time is it really fair that trillion dollar corporations run AI to find security issues on people's hobby code? Then expect volunteers to fix.

Yes. If a vulnerability exists, it's wise to report it. You don't need to fix it immediately (nobody has got a gun to your head) but just because it isn't likely to be exploited doesn't mean it isn't there. While it'd be nice if Google contributed, if I had to choose between Google doing this and doing nothing, I'd choose this.

> Is it really the job of a volunteer working on hobby 1990s codec to care about Google's security issues? Or anyone's?

It isn't "Google's security issues", it's a FFmpeg security issue. The tone from this account is incredibly childish.

This exchange was what shocked me the most:

Person 1:

> If someone sends me cutekitten.mp4, but it is actually not an mp4 file, but a smush file using an obscure 1990s hobby codec, could the bug be exploited if I just run ffplay cutekitten.mp4?

FFmpeg:

> Is it the job of volunteers working on game codecs in their free time as a hobby to fix Google's AI generated bug reports?

Completely dodging the question.

replies(7): >>45785804 #>>45785879 #>>45785907 #>>45785989 #>>45786048 #>>45786128 #>>45786471 #
Klonoar ◴[01 Nov 25 22:45 UTC] No.45786128[source]
I feel like you’re misunderstanding their point.

It’s not that the vulnerability was found and reported, it’s that a trillion plus dollar organization that no doubt actively uses ffmpeg in a litany of spaces is punting the important work of fixing it to volunteers.

This is the same issue that we’re seeing over with XSLT in Chrome: they’re happy when they’re making money off the back of these projects but balk when it comes down to supporting them.

(Yes, everyone is aware Google contributes to open source. They’re still one of the most valuable companies to ever exist, there is almost no excuse for them getting away with this trade off)

replies(2): >>45786370 #>>45787997 #
haskellshill ◴[01 Nov 25 23:15 UTC] No.45786370[source]
Google found a vulnerability and reported it for free. Why do they need to do anything more? Give and inch and ffmpeg's twitter guy requests a mile. If you don't want people to use your software to make money, release it with a license that prohibits that.
replies(1): >>45788357 #
1. Klonoar ◴[02 Nov 25 06:59 UTC] No.45788357[source]
> If you don't want people to use your software to make money, release it with a license that prohibits that.

Or, y'know, the project could balk at a trillion dollar company expecting them to do free work.

Cuts both ways.

replies(1): >>45796092 #
2. Rebelgecko ◴[03 Nov 25 05:24 UTC] No.45796092[source]
What expectation? Giving someone a heads up about a bug isn't a demand to fix it