FFmpeg dealing with a security researcher

(twitter.com)

104 points trollied | 1 comments | 01 Nov 25 20:59 UTC | HN request time: 0s | source

Show context

PaulKeeble ◴[01 Nov 25 21:46 UTC] No.45785696[source]▶

"Just send patches" is I think the main point. Rather than just reporting security bugs these big organisations ought to start seeing the point of open source being that can and should be contributing if they value the project and need this fixed because its a pretty obscure problem generated by AI.

replies(4): >>45785935 #>>45786972 #>>45788047 #>>45789281 #

bawolff ◴[02 Nov 25 05:34 UTC] No.45788047[source]▶

>>45785696 #

I think that is a little entitled. They should be happy google isn't just straight up emailing full-disclisure.

The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

replies(9): >>45788126 #>>45788148 #>>45788195 #>>45788490 #>>45789829 #>>45791054 #>>45791689 #>>45792479 #>>45792591 #

leoedin ◴[02 Nov 25 07:27 UTC] No.45788490[source]▶

>>45788047 #

> The person who makes the software has the duty to fix the security issues in their own code, nobody else, no matter how big they are.

That’s just clearly untrue for freely available software. So every person that ever published a hobby project on GitHub has a duty to fix security issues in it?

The organisation who ships software to paying customer may have a duty to fix security issues. If they didn’t, it could be seen as negligent, violate regulations or the contract they have with their customers. But there’s no contract with the free software developers. No duty of care from them to end users. Absolutely no duty.

replies(2): >>45792683 #>>45793317 #

1. x0x0 ◴[02 Nov 25 19:20 UTC] No.45792683[source]▶

>>45788490 #

Be careful, the Europeans tried (had the python foundation not pushed back hard, would have) and still would love to require anyone who's ever built a piece of software to perform maintenance for them on demand.

↑