FFmpeg to Google: Fund us or stop sending bugs

Not too fond of maintainers getting too uppity about this stuff. I get that it can be frustrating to receive bug report after bug report from people who are unwilling or unable to contribute to the code base, or at the very least to donate to the team.

But the way I see it, a bug report is a bug report, no matter how small or big the bug or the team, it should be addressed.

I don’t know, I’m not exactly a pillar of the FOSS community with weight behind my words.

> it can be frustrating to receive bug report after bug report from people

As the article states, these are AI-generated bug reports. So it's a trillion-dollar company throwing AI slop over the wall and demanding a 90-day turn around from unpaid volunteers.

It’s not bug reports. It’s CVE.

There is a convergence of very annoying trends happening: more and more are garbage found and written using AI and with an impact which is questionable at best, the way CVE are published and classified is idiotic and platform founding vulnerability research like Google are more and more hostile to projects leaving very little time to actually work on fixes before publishing.

This is leading to more and more open source developers throwing the towel.

Do you have evidence of ai slop, or are you just spreading fud? The linked bug was acknowledged as real.

That is completely irrelevant, the gross part is that (if true) they are demanding them to be fixed in a given time. Sounds like the epitome of entitlement to me, to say the least.

CVEs aren't caused by bugs?

When you already work 40+ hours a week and big companies suddenly start an AI snowblower that shoots a dozen extra hours of work every week at you without doing anything to balance that (like, for instance, also opening PRs with patches that fix the bugs), the relationship starts feeling like being an unpaid employee of their project.

What's the point of just showering these things with bug reports when the same tool (or a similar one) can also apparently fix the problem too?

No one is demanding anything, the report itself is a 90 day grace period before being publicly published. If the issues are slop then what exactly is your complaint?

google literally tells them it's an ai generated report

That is not the definition of slop.

The lowered lead times are because devs have an entitled additude that others fix their code when they discover bugs in it.

The 90 day period is the grace period for the dev, not a demand. If they don't want to fix it then it goes public.

It is super strange to say that who devoted their time and effort and then gives away their work for free is somehow entitled.

If this keeps up, there won't be anyone willing to maintain the software due to burn out.

In today's situation, free software is keeping many companies honest. Losing that kind of leverage would be a loss to the society overall.

And the public disclosure is going to hurt the users which could include defense, banks and other critical institutions.

if it's unwanted then it is

and the ffmpeg maintainers say it's not wanted

so it's slop

You could argue that, but I think that a bug is the software failing to do what it was specified, or what it promised to do. If security wasn't promised, it's not a bug.

> The lowered lead times are because devs have an entitled additude that others fix their code when they discover bugs in it.

That’s how open source works.

Which is exactly the case here. This CVE is for a hobby codec written to support digital preservation of a some obscure video files from the 90’s that are used nowhere else. No security was promised.

They are not published in project bug trackers and are managed completely differently so no, personally, I don't view CVE as bug reports. Also, please, don't distrort what I say and omit part of my comment, thank you.

Some of them are not even bugs in the traditional sense of the world but expected behaviours which can lead to unsecure side effects.

It’s a reproducible use-after-free in a codec that ships by default with most desktop and server distributions. It can be leveraged in an exploit chain to compromise a system.

I'm not a Google fan, but if the maintainers are unable to understand that, I welcome a fork.

It seems like you might misunderstand what CVEs are? They're just identifiers.

This was a bug, which caused an exploitable security vulnerability. The bug was reported to ffmpeg, over their preferred method for being notified about vulnerabilities in the software they maintain. Once ffmpeg fixed the bug, a CVE number was issued for the purpose of tracking (e.g. which versions are vulnerable, which were never vulnerable, which have a fix).

Having a CVE identifier is important because we can't just talk about "the ffmpeg vulnerability" when there have been a dozen this year, each with different attack surfaces. But it really is just an arbitrary number, while the bug is the actual problem.

I'm not misunderstanding anything. CVE involves a third party and it's not just a number. It's a number and an evaluation of severity.

Things which are usually managed inside a project now have a visibility outside of it. You might justify it as you want like the need to have an identifier. It doesn't fundamentally change how that impacts the dynamic.

Also, the discussion is not about a specific bug. It's a general discussion regarding how Google handles disclosure in the general case.

The problem with security reports in general is security people are rampant self-promoters. (Linus once called them something worse.)

Imagine you're a humble volunteer OSS developer. If a security researcher finds a bug in your code they're going to make up a cute name for it, start a website with a logo, Google is going to give them a million dollar bounty, they're going to go to Defcon and get a prize and I assume go to some kind of secret security people orgy where everyone is dressed like they're in The Matrix.

Nobody is going to do any of this for you when you fix it.

Except that the only people publicizing this bug were the people running the ffmpeg Twitter account. Without them it would have been one of thousands of vulnerabilities reported with no fanfare, no logos, and no conference talks.

Doesn't really fit with your narrative of security researchers as shameless glory hounds, does it?

How do they know that next week it's not going to be one of those 10 page Project Zero blog posts? (Which like all Google engineer blog posts, usually end up mostly being about how smart the person who wrote the blog post is.)

Note FFmpeg and cURL have already had maintainers quit from burnout from too much attention from security researchers.

Not always, there have been a plenty of CVEs issued for completely absurd reasons.

> Not too fond of maintainers getting too uppity about this stuff.

I suppose you'd prefer they abandon their projects entirely? Because that's the real alternative at this point.