FFmpeg dealing with a security researcher

(twitter.com)

104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0s | source

Show context

PaulKeeble ◴[01 Nov 25 21:46 UTC] No.45785696[source]▶

"Just send patches" is I think the main point. Rather than just reporting security bugs these big organisations ought to start seeing the point of open source being that can and should be contributing if they value the project and need this fixed because its a pretty obscure problem generated by AI.

replies(4): >>45785935 #>>45786972 #>>45788047 #>>45789281 #

bawolff ◴[02 Nov 25 05:34 UTC] No.45788047[source]▶

>>45785696 #

I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

replies(9): >>45788126 #>>45788148 #>>45788195 #>>45788490 #>>45789829 #>>45791054 #>>45791689 #>>45792479 #>>45792591 #

1. godelski ◴[02 Nov 25 19:06 UTC] No.45792591[source]▶

>>45788047 #

Doesn't Chrome use libavcodec?

I'm somewhat with you but we're also talking about a $3.4T company that's depending on an OSS project with what... under a $1m budget? It seems they're pretty resource constrained.

I'm pretty sure Google makes more through Chrome's usage of libav than ffmpeg's entire budget. So yeah, I think Google should put effort back in and I think it's in their best interest.

Trillion dollar companies standing on top of open source projects and giving little to nothing back is not okay. It's also just stupid since they're eating their own foundations

↑