←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 2 comments | 01 Nov 25 20:59 UTC | HN request time: 0.001s | source
Show context
cebert ◴[01 Nov 25 21:41 UTC] No.45785659[source]
It looks like the FFmpeg account on X is calling out Google for using AI to mass-report CVEs in obscure volunteer maintained codecs, then expecting unpaid maintainers to rush fixes. Large, profitable firms rely on FFmpeg everywhere, but don’t seem to be contributing much to the project.
replies(4): >>45786257 #>>45786260 #>>45786339 #>>45792437 #
joatmon-snoo ◴[01 Nov 25 23:00 UTC] No.45786260[source]
No, this is the unfortunate reality of “ffmpeg is maintained by volunteers” and “CVE discovered on specific untrusted input”.

Google’s AI system is no different than the oss-fuzz project of yesteryear: it ensures that the underlying bug is concretely reproducible before filing the bug. The 90-day disclosure window is standard disclosure policy and applies equally to hobby projects and Google Chrome.

replies(1): >>45786310 #
haskellshill ◴[01 Nov 25 23:07 UTC] No.45786310[source]
Yeah, it's actually a great bug report. Reproducible and guaranteed to be an actual problem (regardless of how small the problem is considered by the devs). Just seems irresponsible to encourage people not to file bug reports if it's "insignificant". Why even accept reports then?
replies(1): >>45788738 #
1. hdgvhicv ◴[02 Nov 25 08:30 UTC] No.45788738[source]
“This is broken, here’s how I fixed it”

Vs “this is broken, you gave 90 days to fix it”

If you can’t see the difference you’re the existential threat to Free software that stems from the trillion dollar industries that just take.

replies(1): >>45789804 #
2. haskellshill ◴[02 Nov 25 12:24 UTC] No.45789804[source]
> you have 90 days to fix it

Or else what? They release the report? That's standard and ffmpeg is open source anyway, anybody can find the bug on their own. There's no threat here.

If you're mad about companies using your software, then don't release it with a license allowing them to use it. Simple as that. I don't understand how people can complain about companies doing exactly what you allowed them to do.