Most active commenters
  • adastra22(4)
  • profsummergig(3)
  • SR2Z(3)
  • saagarjha(3)

←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 35 comments | 11 Nov 25 18:32 UTC | HN request time: 1.278s | source | bottom
1. profsummergig ◴[11 Nov 25 19:14 UTC] No.45891496[source]
A bunch of people who make era-defining software for free. A labor of love.

Another bunch of people who make era-defining software where they extract everything they can. From customers, transactionally. From the first bunch, pure extraction (slavery, anyone?).

replies(4): >>45891584 #>>45892197 #>>45892562 #>>45896041 #
2. ivell ◴[11 Nov 25 19:20 UTC] No.45891584[source]
Irrespective of what Google does, security research is still useful for all of us.

They could adopt a more flexible policy for FOSS though.

replies(3): >>45891820 #>>45892009 #>>45892299 #
3. doctorwho42 ◴[11 Nov 25 19:40 UTC] No.45891820[source]
Or they could contribute solutions to said bugs? Its not like they would distract that much from their bottom line
replies(2): >>45892635 #>>45892828 #
4. adastra22 ◴[11 Nov 25 19:56 UTC] No.45892009[source]
Is it? I’ve gotten nothing but headaches from these automated CVE-seeking teams.
replies(1): >>45892966 #
5. samdoesnothing ◴[11 Nov 25 20:11 UTC] No.45892197[source]
It's hard to find an easier good vs evil distinction than between Google and literally anybody else.
replies(3): >>45893260 #>>45893382 #>>45897458 #
6. xuhu ◴[11 Nov 25 20:19 UTC] No.45892299[source]
It's as useful as brute forcing one of your neighbor's 100 online passwords every day and writing it on the door of a random supermarket.
7. dzhiurgis ◴[11 Nov 25 20:44 UTC] No.45892562[source]
> era-defining software for free

chill, nobody knows what ffmpeg is

replies(1): >>45894560 #
8. SR2Z ◴[11 Nov 25 20:49 UTC] No.45892635{3}[source]
Google is a major contributor to open-source video, to the point where it would not be viable without them.
replies(1): >>45892876 #
9. degamad ◴[11 Nov 25 21:05 UTC] No.45892828{3}[source]
Exactly. The call-out is not "please stop doing security research". It is, "if you have a lot of money to spend on security research, please spend some of it on discovering the bugs, and some on fixing them (or paying us to fix them), instead of all of it on discovering bugs too fast for us to fix them in time".
10. viraptor ◴[11 Nov 25 21:15 UTC] No.45892966{3}[source]
You got lower chances of getting hacked by a random file on the internet. At Project Zero level they're also not CVE seeking - it doesn't even matter at that scale, it's not an independent trying to become known.
replies(1): >>45895143 #
11. criticalfault ◴[11 Nov 25 21:41 UTC] No.45893260[source]
Microsoft ♥ Linux?
replies(1): >>45893406 #
12. lern_too_spel ◴[11 Nov 25 21:51 UTC] No.45893382[source]
Facebook?
replies(1): >>45893497 #
13. machomaster ◴[11 Nov 25 21:53 UTC] No.45893406{3}[source]
Vim vs. Emacs
14. samdoesnothing ◴[11 Nov 25 22:02 UTC] No.45893497{3}[source]
Probably a tie!
15. SR2Z ◴[11 Nov 25 22:43 UTC] No.45893912{5}[source]
Look, I know you're being snarky, but YES. All of the viable open-source video codecs of the past 10 years would not have happened without Google. Not just for technical reasons, but for expensive patent-related legal reasons too.

Given that ffmpeg is an open-source video transcoding tool, I don't think you can easily just dismiss this as "big company abuses open source."

The ffmpeg devs are volunteers or paid to work on specific parts of the tool. That's why they're unimpressed. What Google is doing here is pretty reasonable.

replies(1): >>45895238 #
16. tills13 ◴[11 Nov 25 23:57 UTC] No.45894560[source]
Is this sarcasm? While it may be true that my mother does not know what ffmpeg is I'm almost positive she interacts with stuff that uses it literally every single day.
replies(1): >>45895141 #
17. profsummergig ◴[12 Nov 25 00:59 UTC] No.45895141{3}[source]
...every media post on IG/FB/X/YT/news sites/AI.
replies(1): >>45898494 #
18. adastra22 ◴[12 Nov 25 01:00 UTC] No.45895143{4}[source]
I have yet to see one on any project I’ve been attached to that was actually exploitable under real circumstances. But the CVE hunting teams treat them all as if they were.
replies(1): >>45895931 #
19. xgulfie ◴[12 Nov 25 01:11 UTC] No.45895238{6}[source]
I don't think ffmpeg is terribly affected by whether a codec is patent-encumbered or not
replies(1): >>45899203 #
20. saagarjha ◴[12 Nov 25 02:57 UTC] No.45895931{5}[source]
You should honestly consider not responding if you are unaware of Project Zero.
replies(1): >>45896378 #
21. Aurornis ◴[12 Nov 25 03:16 UTC] No.45896041[source]
> (slavery, anyone?)

It’s hard to take any comment seriously that tries to use “slavery” for situations where nobody is forced to do anything for anyone.

replies(1): >>45896453 #
22. adastra22 ◴[12 Nov 25 04:28 UTC] No.45896378{6}[source]
TFA is about Project Zero getting uppity about an unexploitable non-issue in ffmpeg.

Project Zero hasn't reported any vulnerabilities in any software I maintain. Lots of other security groups have, some well respected as well, but to my knowledge none of these "outside" reports were actual vulnerabilities when analyzed in context.

replies(1): >>45896507 #
23. saagarjha ◴[12 Nov 25 04:57 UTC] No.45896507{7}[source]
You are welcome to view the report however you like, but a world where an easily reproducible OOB read and UAF in the default configuration is an "unexploitable non-issue" is not reality.
replies(1): >>45897502 #
24. Aurornis ◴[12 Nov 25 05:19 UTC] No.45896624{3}[source]
Anyone comparing normal adulthood stuff to slavery needs to spend some time reading some history books.
replies(2): >>45896924 #>>45899748 #
25. profsummergig ◴[12 Nov 25 06:22 UTC] No.45896924{4}[source]
So, no answer?
26. Hammershaft ◴[12 Nov 25 07:56 UTC] No.45897458[source]
What is happening to hacker news? I'm not a fan of Google but this discourse is so tribal and reductive.
27. adastra22 ◴[12 Nov 25 08:03 UTC] No.45897502{8}[source]
For a codec that isn't configured by default, and only used and maintained by a hobbyist video game content preservation group. Yeah it's a non-issue.
replies(2): >>45898406 #>>45898464 #
28. hennell ◴[12 Nov 25 08:37 UTC] No.45897769{3}[source]
Not how the terms slavery and taxation are usually defined no.

If you choose to reduce them to such a level you ignore all their differences and focus on some carefully termed similarities you could make the case they're the same for that specific definition I suppose.

29. lm28469 ◴[12 Nov 25 09:43 UTC] No.45898216{3}[source]
No we can't use such strong words here, theft is more appropriate
30. saagarjha ◴[12 Nov 25 10:12 UTC] No.45898406{9}[source]
It's used by exploit authors, too.
31. Dylan16807 ◴[12 Nov 25 10:21 UTC] No.45898464{9}[source]
> a codec that isn't configured by default

Where did you get that idea?

32. dzhiurgis ◴[12 Nov 25 10:23 UTC] No.45898494{4}[source]
So does a Siemens transformer, but it's era defining.

Why there's such a weird toxic empathy around ffmpeg?

replies(1): >>45899114 #
33. Orygin ◴[12 Nov 25 12:01 UTC] No.45899114{5}[source]
Why do you shit on it? This software is literally holding the near entirety of video transcoding *worldwide* on its shoulders.
34. SR2Z ◴[12 Nov 25 12:12 UTC] No.45899203{7}[source]
It would certainly be a less useful tool if all the videos it produced got you legal threats every time you tried to share them :)
35. raincole ◴[12 Nov 25 13:15 UTC] No.45899748{4}[source]
Anyone who actually read some history books would know slavery was considered "normal stuff" until it wasn't.