Most active commenters
  • bigiain(7)
  • tpmoney(5)
  • Wowfunhappy(5)
  • (5)
  • nradov(4)
  • deaddodo(4)
  • astrange(4)
  • WesolyKubeczek(4)
  • cornonthecobra(3)
  • walletdrainer(3)

←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 201 comments | 11 Nov 25 18:32 UTC | HN request time: 0.867s | source | bottom
1. phkahler ◴[11 Nov 25 19:41 UTC] No.45891830[source]
From TFA this was telling:

Thus, as Mark Atwood, an open source policy expert, pointed out on Twitter, he had to keep telling Amazon to not do things that would mess up FFmpeg because, he had to keep explaining to his bosses that “They are not a vendor, there is no NDA, we have no leverage, your VP has refused to help fund them, and they could kill three major product lines tomorrow with an email. So, stop, and listen to me … ”

I agree with the headline here. If Google can pay someone to find bugs, they can pay someone to fix them. How many time have managers said "Don't come to me with problems, come with solutions"

replies(8): >>45891966 #>>45891973 #>>45893060 #>>45893320 #>>45896629 #>>45898338 #>>45902990 #>>45906281 #
2. skrebbel ◴[11 Nov 25 19:52 UTC] No.45891966[source]
How could ffmpeg maintainers kill three major AWS product lines with an email?
replies(5): >>45891984 #>>45892034 #>>45892354 #>>45895260 #>>45899217 #
3. zxspectrum1982 ◴[11 Nov 25 19:53 UTC] No.45891973[source]
Google is not paying anyone to find bugs. They are running AIs indiscriminately.
replies(7): >>45892052 #>>45892117 #>>45892121 #>>45892277 #>>45892330 #>>45895657 #>>45898332 #
4. zxspectrum1982 ◴[11 Nov 25 19:54 UTC] No.45891984[source]
Easy: ffmpeg discontinues or relicenses some ffmpeg functionality that AWS depends on for those product alines and AWS is screwed. I've seen that happen in other open source projects.
replies(3): >>45892090 #>>45892103 #>>45894363 #
5. mschuster91 ◴[11 Nov 25 19:58 UTC] No.45892034[source]
I'd guess Prime Video heavily relies on ffmpeg, then you got Elastic Transcode and the Elemental Video Services. Probably Cloudfront also has special things for streaming that rely on ffmpeg.

The "kill it with an email" probably means that whoever said this is afraid that some usecase there wouldn't stand up to an audit by the usual patent troll mothercluckers. The patents surrounding video are so complex, old and plentiful that I'd assume full compliance is outright impossible.

replies(1): >>45892300 #
6. rescbr ◴[11 Nov 25 20:00 UTC] No.45892052[source]
Still, they are paying for the computing resources needed to run the AI/agents etc.
replies(1): >>45892288 #
7. portaouflop ◴[11 Nov 25 20:03 UTC] No.45892090{3}[source]
Wouldn’t that only affect new versions and current versions are still licensed under the old license ?
8. NewsaHackO ◴[11 Nov 25 20:04 UTC] No.45892103{3}[source]
But if it gets relicensed, they would still be able to use the current version. Amazon definitely would be able to fund an independent fork.
replies(6): >>45892164 #>>45892171 #>>45892460 #>>45894578 #>>45894811 #>>45900051 #
9. dtech ◴[11 Nov 25 20:05 UTC] No.45892117[source]
Someone is making the tools to find these bugs. It's not like they're telling ChatGPT "go find bugs lol"
replies(1): >>45894764 #
10. pimlottc ◴[11 Nov 25 20:06 UTC] No.45892121[source]
Someone started it running, they are responsible for the results.
11. wewtyflakes ◴[11 Nov 25 20:09 UTC] No.45892164{4}[source]
Sounds like it would be a lot of churn for nothing; if they can fund a fork, then they could fund the original project, no?
replies(5): >>45892193 #>>45892545 #>>45894433 #>>45895761 #>>45901951 #
12. schainks ◴[11 Nov 25 20:10 UTC] No.45892171{4}[source]
It still takes expensive humans to do this so they are incentivized to use the free labor.
replies(1): >>45892838 #
13. arrowleaf ◴[11 Nov 25 20:11 UTC] No.45892193{5}[source]
If they can fund a fork, they can continue business as usual until the need arises
replies(1): >>45892544 #
14. rsanek ◴[11 Nov 25 20:18 UTC] No.45892277[source]
https://en.wikipedia.org/wiki/Project_Zero
15. noir_lord ◴[11 Nov 25 20:19 UTC] No.45892300{3}[source]
AWS MediaConvert as well which is a huge API (in surface it covers) which is under Elemental but is kinda it's own thing - willing to bet (though I don't know) that that is ffmpeg somewhere underneath.

The API manual for it is nearly 4000 pages and it can do insane stuff[1].

I had to use it at last job(TM), it's not terrible API wise.

[1] https://docs.aws.amazon.com/pdfs/mediaconvert/latest/apirefe... CAUTION: big PDF.

replies(1): >>45896263 #
16. nimih ◴[11 Nov 25 20:23 UTC] No.45892330[source]
They certainly paid someone to run the so-called AIs.
17. joshkel ◴[11 Nov 25 20:24 UTC] No.45892354[source]
In a follow-up tweet, Mark Atwood eloborates: "Amazon was very carefully complying with the licenses on FFmpeg. One of my jobs there was to make sure the company was doing so. Continuing to make sure the company was was often the reason I was having a meeting like that inside the company."

I interpret this as meaning there was an implied "if you screw this up" at the end of "they could kill three major product lines with an email."

replies(2): >>45893532 #>>45898904 #
18. ◴[11 Nov 25 20:33 UTC] No.45892460{4}[source]
19. zrm ◴[11 Nov 25 20:42 UTC] No.45892544{6}[source]
A fork is more expensive to maintain than funding/contributing to the original project. You have to duplicate all future work yourselves, third party code starts expecting their version instead of your version, etc.
replies(1): >>45898966 #
20. cortesoft ◴[11 Nov 25 20:42 UTC] No.45892545{5}[source]
They COULD, but history has shown they would rather start and maintain their own fork.

It might not make sense morally, but it makes total sense from a business perspective… if they are going to pay for the development, they are going to want to maintain control.

replies(2): >>45892610 #>>45895069 #
21. edoceo ◴[11 Nov 25 20:48 UTC] No.45892610{6}[source]
If they want that level of control, reimburse for all the prior development too. - ie: buy that business.

As it stands, they're just abusing someone's gift.

Like jerks.

replies(2): >>45893243 #>>45894018 #
22. NewsaHackO ◴[11 Nov 25 21:05 UTC] No.45892838{5}[source]
Yes, definitely. I was just saying that if the license ever did change, they would move to an in-house library. In fact, they would probably release the library for consumer use as an AWS product.
23. dvfjsdhgfv ◴[11 Nov 25 21:22 UTC] No.45893060[source]
> "Don't come to me with problems, come with solutions"

The problem is, the issue in the article is explicitly named as "CVE slop", so if the patch is of the same quality, it might require quite some work anyway.

replies(1): >>45893094 #
24. jeffbee ◴[11 Nov 25 21:25 UTC] No.45893094[source]
The linked report seems to me to be the furthest thing from "slop". It is an S-tier bug report that includes a complete narrative, crash artifacts, and detailed repro instructions. I can't believe anyone is complaining about what is tied for the best bug report I have ever seen. https://issuetracker.google.com/issues/440183164?pli=1
replies(1): >>45893528 #
25. rolandog ◴[11 Nov 25 21:39 UTC] No.45893243{7}[source]
There should be a "if you use this product in a for-profit environment, and you have a yearly revenue of $500,000,000,000+ ... you can afford to pay X * 100,000/yr" license.
replies(2): >>45893342 #>>45893707 #
26. skhameneh ◴[11 Nov 25 21:46 UTC] No.45893320[source]
I've been a proponent of upstreaming fixes for open source software.

Why? - It makes continued downstream consumption easier, you don't have to rely on fragile secret patches. - It gives back to projects that helped you to begin with, it's a simple form of paying it forward. - It all around seems like the "ethical" and "correct" thing to do.

Unfortunately, in my experience, there's often a lot of barriers within companies to upstream. Reasons can be everything from compliance, processes, you name it... It's unfortunate.

I have a very distinct recollection of talks about hardware aspirations and upstreaming software fixes at a large company. The cultural response was jarring.

replies(10): >>45894455 #>>45894472 #>>45894483 #>>45894572 #>>45895043 #>>45896339 #>>45896674 #>>45897121 #>>45901635 #>>45902318 #
27. renewiltord ◴[11 Nov 25 21:48 UTC] No.45893342{8}[source]
That's the Llama license and yeah, a lot of people prefer this approach, but many don't consider it open source. I don't either.

In fact, we are probably just really lucky that some early programmers were kooky believers in the free software philosophy. Thank God for them. So much of what I do owes to the resulting ecosystem that was built back then.

replies(1): >>45896236 #
28. michaelt ◴[11 Nov 25 22:05 UTC] No.45893528{3}[source]
It's a good quality bug report.

But it's also a bug report about the decoder for "SANM ANIM v0" - a format so obscure almost all the search results are the bug report itself. Possibly a format exclusive to mid-1990s LucasArts games [1]

Pretty crazy that ffmpeg supports the codec in the first place, IMHO.

I can understand volunteers not wanting to sink time into maintaining a codec to play a video format that hasn't been used since the Clinton administration. gstreamer divides their plugins into 'good', 'bad' and 'ugly' to give them somewhere to stash unmaintained codecs.

[1] https://web.archive.org/web/20250419105551/https://wiki.mult...

replies(5): >>45893611 #>>45893616 #>>45895592 #>>45895955 #>>45896300 #
29. phkahler ◴[11 Nov 25 22:05 UTC] No.45893532{3}[source]
Are you interpreting that as "if we violate the license, they can revoke our right to use the software" ?? And they use it in 3 products so that would be really bad. That would make sense to have a compliance person.
replies(2): >>45895534 #>>45900369 #
30. jsnell ◴[11 Nov 25 22:14 UTC] No.45893611{4}[source]
It's a codec that is enabled by default at least on major Linux distributions, and that will be processed by ffmpeg without any extra flags. Anyone playing an untrusted video file without explictly overriding the codec autodetection is vulnerable.

The format being obscure and having no real usage doesn't help when it's the attackers creating the files. The obscure formats are exposing just as much attack surface as the common ones.

> Pretty crazy that ffmpeg supports the codec in the first place, IMHO.

Yes.

replies(3): >>45894446 #>>45894851 #>>45895412 #
31. jeffbee ◴[11 Nov 25 22:14 UTC] No.45893616{4}[source]
Yeah but as you can see from the bug report ffmpeg automatically triggers the codec based on file magic, so it is possible that if you run some kind of network service or anything that handles hostile data an attacker could trigger the bug.
replies(1): >>45895995 #
32. zrm ◴[11 Nov 25 22:23 UTC] No.45893707{8}[source]
There is also the AGPL.
33. LexiMax ◴[11 Nov 25 22:54 UTC] No.45894018{7}[source]
I always like to point out that "Open Source" was a deliberate watering-down of the moralizing messaging of Free Software to try and sell businesses on the benefits of developing software in the open.

> We realized it was time to dump the confrontational attitude that has been associated with "free software" in the past and sell the idea strictly on the same pragmatic, business-case grounds that motivated Netscape.

https://web.archive.org/web/20021001164015/http://www.openso...

replies(1): >>45896787 #
34. astrange ◴[11 Nov 25 23:30 UTC] No.45894363{3}[source]
ffmpeg cannot relicense anything because it doesn't own anything. The contributors own the license to their code.
replies(3): >>45894596 #>>45894733 #>>45897289 #
35. 6510 ◴[11 Nov 25 23:40 UTC] No.45894433{5}[source]
With a bit of needless work the fixes could be copied and they would still end up funding them.
36. Wowfunhappy ◴[11 Nov 25 23:42 UTC] No.45894446{5}[source]
Ffmpeg makes it trivial to enable and disable individual codecs at compile time. Perhaps it's the Linux distros that need to make a change here?
replies(2): >>45894741 #>>45894862 #
37. wmf ◴[11 Nov 25 23:44 UTC] No.45894455[source]
It would probably be easier for these companies to pay Collabora or Igalia.
38. Astronaut3315 ◴[11 Nov 25 23:46 UTC] No.45894472[source]
I upstreamed a 1-line fix, plus tests, at my previous company. I had to go through a multi-month process of red tape and legal reviews to make it happen. That was a discouraging experience to say the least.
replies(4): >>45894676 #>>45895604 #>>45899267 #>>45902666 #
39. fao_ ◴[11 Nov 25 23:47 UTC] No.45894483[source]
As yet, Valve is the only company I know of doing this, and it's paying off in dividends both for Linux and for Valve. In just 5ish years of Valve investing people and money into Linux- specifically mesa and WINE, Linux has gone from a product that is kind of shaky with Windows, to "I can throw a windows program or game at it and it usually works". Imagine how further the OSS ecosystem would be if Open Source hadn't existed, only FOSS; and companies were legally obligated to either publish source code or otherwise invest in the ecosystem.
replies(7): >>45895190 #>>45895524 #>>45895902 #>>45896743 #>>45897191 #>>45900101 #>>45900153 #
40. jchw ◴[11 Nov 25 23:58 UTC] No.45894572[source]
Maybe I've just gotten lucky, but at companies I've worked for I've usually gotten the go-ahead to contribute upstream on open source projects so as long as it's something important for what we are working on. The only reason I didn't do a whole lot as part of my work at Google is because most of the open source projects I contributed to at Google were Google projects that I could contribute to from the google3 side, and that doesn't count.
41. deaddodo ◴[11 Nov 25 23:58 UTC] No.45894578{4}[source]
And then the argument for refusing to just pay ffmpeg developers gets even more flimsy.

The entire point here is to pay for the fixes/features you keep demanding, else the project is just going to do as it desires and ignore you.

More and more OSS projects are getting to this point as large enterprises (especially in the SaaS/PaaS spheres) continue to take advantage of those projects and treat them like unpaid workers.

replies(2): >>45895750 #>>45898949 #
42. deaddodo ◴[12 Nov 25 00:00 UTC] No.45894596{4}[source]
I don’t know about ffmpeg, but plenty of OSS projects have outlined rules for who/when a project-wide/administrative decision can be made. It’s usually outlined in a CONTRIB or similar file.
replies(1): >>45894931 #
43. toast0 ◴[12 Nov 25 00:09 UTC] No.45894676{3}[source]
My favorite is when while you were working through all that, the upstream decided they need a CLA. And then you have to go through another round of checking to see if your company thinks it's ok for you to agree to sign that for a 1 line change.

Certainly easier to give a good bug report and let upstream write the change, if they will.

44. colonwqbang ◴[12 Nov 25 00:15 UTC] No.45894733{4}[source]
Relicensing isn't necessary. If you violate the GPL with respect to a work you automatically lose your license to that work.

It's enough if one or two main contributors assert their copyrights. Their contributions are so tangled with everything else after years of development that it can't meaningfully be separated away.

replies(2): >>45895919 #>>45896791 #
45. dotancohen ◴[12 Nov 25 00:16 UTC] No.45894741{6}[source]
Every change breaks somebody's workflow.
replies(1): >>45897721 #
46. foobarchu ◴[12 Nov 25 00:18 UTC] No.45894764{3}[source]
And running those models on large codebases like these isnt anywhere close to free either.
47. 8note ◴[12 Nov 25 00:25 UTC] No.45894811{4}[source]
something more dangerous would be "amazon is already breaking the license, but the maintainers for now havent put in the work to stop the infringement"
48. bigstrat2003 ◴[12 Nov 25 00:28 UTC] No.45894851{5}[source]
Sure, it's a valid bug report. But I don't understand why there has been so much drama over this when all the ffmpeg folks have to do is say "sorry, this isn't a priority for us so we'll get to it as soon as we can" and put the issue in the backlog as a low priority. If Google wants the issue fixed faster, they can submit a fix. If they don't care enough to do that, they can wait. No big deal either way. Instead, ffmpeg is getting into a public tiff with them over what seems to be a very easily handled issue.
replies(2): >>45895522 #>>45895584 #
49. tpmoney ◴[12 Nov 25 00:30 UTC] No.45894862{6}[source]
I get that the ffmpeg people have limited time and resources, I get that it would be nice if Google (or literally anyone else) patched this themselves and submitted that upstream. But "everyone else down stream of us should compile out our security hole" is a terrible way to go about things. If this is so obscure of a bug that there's no real risk, then there's no need for anyone to worry that the bug has been reported and will be publicized. On the other hand, if it's so dangerous that everyone should be rebuilding ffmpeg from source and compiling it out, then it really needs to be fixed in the up stream.

Edit: And also, how is anyone supposed to know they should compile the codec our unless someone makes a bug report and makes it public in the first place?

replies(2): >>45896368 #>>45900831 #
50. astrange ◴[12 Nov 25 00:37 UTC] No.45894931{5}[source]
Doubtful that's enough for a copyright grant. You'd need a signed CLA.
replies(1): >>45896581 #
51. cornonthecobra ◴[12 Nov 25 00:49 UTC] No.45895043[source]
I've literally had my employer's attorneys tell me I can't upstream patches because it would put my employer's name on the project, and they don't want the liability.

No, it didn't help giving them copies of licenses that have the usual liability clauses.

It seems a lot of corporate lawyers fundamentally misunderstand open source.

replies(5): >>45895275 #>>45895290 #>>45896892 #>>45898347 #>>45899056 #
52. pstuart ◴[12 Nov 25 00:52 UTC] No.45895069{6}[source]
Do they want control or do they really want something that works that they don't have to worry about?

The only reason for needing control would be if it was part of their secret sauce and at that point they can fork it and fuck off.

These companies should be heavily shamed for leaching off the goodwill of the OSS community.

53. ajross ◴[12 Nov 25 01:06 UTC] No.45895190{3}[source]
> Valve is the only company I know of [upstreaming fixes for open source software]

Sorry, that's ridiculous. Basically every major free software dependency of every major platform or application is maintained by people on the payroll of one or another tech giant (edit: or an entity like LF or Linaro funded by the giants, or in a smaller handful of cases a foundation like the FSF with reasonably deep industry funding). Some are better than others, sure. Most should probably be doing more. FFMpeg in particular is a project that hasn't had a lot of love from platform vendors (most of whom really don't care about software codecs or legacy formats anymore), and that's surely a sore point.

But to pretend that SteamOS is the only project working with upstreams is just laughable.

replies(2): >>45895607 #>>45895746 #
54. DragonStrength ◴[12 Nov 25 01:14 UTC] No.45895260[source]
Open up an Amazon media app and navigate around enough, and you'll encounter a page with all their "Third Party Software Licenses."

For instance, here's one for the Amazon Music apps, which includes an FFMpeg license: https://www.amazon.com/gp/help/customer/display.html?nodeId=...

replies(2): >>45897430 #>>45897526 #
55. nradov ◴[12 Nov 25 01:17 UTC] No.45895275{3}[source]
Corporate counsel will usually say no to anything unusual because there's no personal upside for them to say yes. If you escalate over their heads with a clear business case then you can often get a senior executive to overrule the attorneys and maybe even change the company policy going forward. But this is a huge amount of extra unpaid work, and potentially politically risky if you don't have a sold management chain.
56. idiotsecant ◴[12 Nov 25 01:19 UTC] No.45895290{3}[source]
Sounds like your employers attorneys need to be brought to heel by management. Like most things, this is a problem of management not understanding that details matter.
57. renhanxue ◴[12 Nov 25 01:38 UTC] No.45895412{5}[source]
There are dozens if not hundreds of issues just like this one in ffmpeg, except for codecs that are infinitely more common. Google has been running all sorts of fuzzers against ffmpeg for over a decade at this point and it just never ends. It's a 20 year old C project maintained by poorly funded volunteers that mostly gives every media file ever the be-liberal-in-what-you-accept treatment, because people complain if it doesn't decode some bizarrely non-standard MPEG4 variant recorded with some Chinese plastic toy from 2008. Of course it has all of the out-of-bounds bugs. I poked around on the issue tracker for like 5 minutes and found several "high impact" issues similar to the one in TFA just from the last two or three months, including at least one that hasn't passed the 90 day disclosure window yet.

Nobody who takes security even remotely seriously should decode untrusted media files outside of a sandboxed environment. Modern media formats are in themselves so complex one starts wondering if they're actually Turing complete, and in ffmpeg the attack surface is effectively infinitely large.

The issue is CVE slop because it just doesn't matter if you consider the big picture.

Some example issues to illustrate my point:

https://issuetracker.google.com/issues/436511754 https://issuetracker.google.com/issues/445394503 https://issuetracker.google.com/issues/436510316 https://issuetracker.google.com/issues/433502298

replies(3): >>45895567 #>>45896399 #>>45901926 #
58. iscoelho ◴[12 Nov 25 01:57 UTC] No.45895522{6}[source]
FFMPEG is upset because Google made the exploit public. They preferred that it remained a zero-day until they decided it was a priority.

I don't understand how anyone believes that behavior is acceptable.

replies(2): >>45895849 #>>45896321 #
59. zaphirplane ◴[12 Nov 25 01:57 UTC] No.45895524{3}[source]
Credit to wine and cross over (?)for years and years of work as well
60. zinekeller ◴[12 Nov 25 01:58 UTC] No.45895534{4}[source]
Possibly Twitch, Amazon Prime Video, and another one that escapes my mind (AWS-related?).
replies(3): >>45895665 #>>45896147 #>>45897325 #
61. jsnell ◴[12 Nov 25 02:02 UTC] No.45895567{6}[source]
I don't get why you think linking to multiple legitimate and high quality bug reports with detailed analysis and precise reproduction instructions demonstrates "slop". It is the opposite.

This is software that is directly or indirectly run by millions of people on untrusted media files without sandboxing. It's not even that they don't care about security, it's that they're unaware that they should care. It should go without saying that they don't deserve to be hacked just because of that. Big companies doing tons of engineering work to add defense in depth for use cases on their own infrastructure (via sandboxing or disabling obsolete codecs) doesn't help those users. Finding and fixing the vulnerabilities does.

replies(1): >>45895644 #
62. guiambros ◴[12 Nov 25 02:05 UTC] No.45895584{6}[source]
Yes, you're very right. They could simply have killed a codec that no one uses anymore. Or put it behind a compile flag, so if you really want, you can still enable it

But no. Intentionally or not, there was a whole drama created around it [1], with folks being criticized [2] for saying exactly what you said above, because their past (!) employers.

Instead of using the situation to highlight the need for more corporate funding for opensource projects in general, it became a public s**storm, with developers questioning their future contributions to projects. Shameful.

[1] https://news.ycombinator.com/item?id=45806269

[2] https://x.com/FFmpeg/status/1985334445357051931

63. emmelaich ◴[12 Nov 25 02:05 UTC] No.45895592{4}[source]
Best response would be to drop this codec entirely, or have it off by default. At least distros should do that.
replies(1): >>45897267 #
64. jamwil ◴[12 Nov 25 02:07 UTC] No.45895604{3}[source]
In this scenario does your employer have strong controls around what whether you can write hobby code on your own time?
replies(2): >>45895732 #>>45897416 #
65. elcritch ◴[12 Nov 25 02:07 UTC] No.45895607{4}[source]
Sure, but the parent’s comment hits on something perhaps. All the tech giants contribute more haphazardly and for their own internal uses.

Valve does seem somewhat rare position of making a proper Linux distro work well with games. Google’s Chromebooks don’t contribute to the linux ecosystem in the same holistic fashion it seems.

66. renhanxue ◴[12 Nov 25 02:12 UTC] No.45895644{7}[source]
All of these reports are effectively autogenerated by Big Sleep from fuzzing.

Again, Google has been doing this sort of thing for over a decade and has found untold thousands of vulnerabilities like this one. It is not at all clear to me that their doing so has been all that valuable.

replies(2): >>45895765 #>>45898284 #
67. knowitnone3 ◴[12 Nov 25 02:13 UTC] No.45895657[source]
Does it matter? Either it's a valid bug or it's not. Either it's of high importance or it's not.
68. procflora ◴[12 Nov 25 02:15 UTC] No.45895665{5}[source]
AWS for sure (Elemental maybe?), but could also be Ring.
replies(1): >>45896177 #
69. achierius ◴[12 Nov 25 02:27 UTC] No.45895732{4}[source]
Generally yes. Or yes, you could just do it yourself in your free time.
replies(2): >>45896897 #>>45896939 #
70. nick238 ◴[12 Nov 25 02:29 UTC] No.45895746{4}[source]
From my time working at a Fortune 100 company, if I ever mentioned pushing even small patches to libraries we effing used, I'd just be met "try to focus on your tickets". Their OSS library and policies were also super byzantine, seemingly needing review of everything you'd release, but the few times I tried to do it the official way, I just never heard anything back from the black-hole mailing list you were supposed to contact.

Yes, I've also worked on OpenStack components at a university, and there I see Red Hat or IBM employees pushing up loads of changes. I don't know if I've ever seen a Walmart, UnitedHealth, Chase Bank, or Exxon Mobil (to pick some of the largest companies) email address push changes.

replies(3): >>45895962 #>>45896066 #>>45896152 #
71. zdragnar ◴[12 Nov 25 02:29 UTC] No.45895750{5}[source]
Not really. Their whole reason for not funding open source is it essentially funds their competitors who use the same projects. That's why they'd rather build a closed fork in-house than just hand money to ffmpeg.

It's a dumb reason, especially when there are CVE bugs like this one, but that's how executives think.

replies(4): >>45896076 #>>45896101 #>>45896612 #>>45898528 #
72. zdragnar ◴[12 Nov 25 02:31 UTC] No.45895761{5}[source]
Funding ffmpeg also essentially funds their competitors, but a closed fork in-house doesn't. Submitting bugs costs less than both, hence why they still use ffmpeg in the first place.
73. saagarjha ◴[12 Nov 25 02:32 UTC] No.45895765{8}[source]
Google fuzzing open source projects has eliminated a lot of low hanging fruit from being exploited. I am surprised you think that finding these vulnerabilities so they can be fixed has not been valuable.
74. fulafel ◴[12 Nov 25 02:43 UTC] No.45895849{7}[source]
There's no exploit on the bug report at least, unless you consider the crash reproducer one.
replies(1): >>45895984 #
75. rossjudson ◴[12 Nov 25 02:52 UTC] No.45895902{3}[source]
I'm glad you threw in "I know of", because that part is true.

Feel free to read lore.kernel.org, and sort out where the people contributing many patches actually work.

replies(2): >>45896793 #>>45897022 #
76. pabs3 ◴[12 Nov 25 02:55 UTC] No.45895919{5}[source]
In addition, there is the potential for software users to sue for GPL compliance. At least that is the theory behind the lawsuit against Vizio:

https://sfconservancy.org/copyleft-compliance/vizio.html

77. rossjudson ◴[12 Nov 25 03:00 UTC] No.45895955{4}[source]
I'm sure that a hacker wouldn't think of trying to use an obscure format...

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

replies(1): >>45896464 #
78. 7e ◴[12 Nov 25 03:01 UTC] No.45895962{5}[source]
Those aren’t tech giants. They're just shit companies. I agree they greatly outnumber Big Tech, in employees if not talent.
replies(2): >>45896008 #>>45898589 #
79. iscoelho ◴[12 Nov 25 03:04 UTC] No.45895984{8}[source]
UAF bugs lead to RCE exploit chains.
replies(1): >>45896738 #
80. Jweb_Guru ◴[12 Nov 25 03:05 UTC] No.45895995{5}[source]
It feels like maybe people do not realize that Google is not the only company that can run fuzzers against ffmpeg? Attackers are also highly incentivized to do so and they will not do you the courtesy of filing bug reports.
81. nradov ◴[12 Nov 25 03:08 UTC] No.45896008{6}[source]
Check again. The Optum unit of UnitedHealth Group has huge revenue from software and technical services. If just that part of the business was spun out it would be one of the top 20 US tech companies.
replies(1): >>45900163 #
82. nradov ◴[12 Nov 25 03:21 UTC] No.45896066{5}[source]
I don't know about ExxonMobil but Walmart, UnitedHealth Group, and JPMorganChase employees do actively contribute to open source projects. Maybe just not the ones you used. They have also published some of their own.

https://github.com/walmartlabs

https://github.com/Optum

https://github.com/jpmorganchase

83. Kim_Bruning ◴[12 Nov 25 03:22 UTC] No.45896076{6}[source]
But their competitors also fund them, which makes it a net positive sum.
84. AnthonyMouse ◴[12 Nov 25 03:28 UTC] No.45896101{6}[source]
> Their whole reason for not funding open source is it essentially funds their competitors who use the same projects. That's why they'd rather build a closed fork in-house than just hand money to ffmpeg.

So the premise here is that AWS should waste their own money maintaining an internal fork in order to try to make their competitors do the same thing? But then Google or Intel or someone just fixes it a bit later and wisely upstreams it so they can pay less than you by not maintaining an internal fork. Meanwhile you're still paying the money even though the public version has the fix because now you either need to keep maintaining your incompatible fork or pay again to switch back off of it. So what you've done is buy yourself a competitive disadvantage.

> that's how executives think.

That's how cargo cult executives think.

Just because you've seen someone else doing something doesn't mean you should do it. They might not be smarter than you.

replies(1): >>45903000 #
85. a_vanderbilt ◴[12 Nov 25 03:37 UTC] No.45896147{5}[source]
And Blink. I used to contract with them a few years back, they all rely heavily on open source.
86. ecshafer ◴[12 Nov 25 03:38 UTC] No.45896152{5}[source]
To steelman this: I've never worked at any of the companies you listed but most likely Red Hat and IBM employees (Is there still a difference?) are being paid specifically to work on Openstack, as they get money from support contracts. When Walmart of Chase use Openstack there is a rather small team who is implementing openstack to be used as a platform. They are then paying IBM/Redhat for that support. There probably isn't really the expertise in the Openstack team at Warlmart to be adding patches. Some companies spend a different amount of money on in house technology than others, and then open source it.
87. bigiain ◴[12 Nov 25 03:43 UTC] No.45896177{6}[source]
Yeah - Amazon Elastic Transcoder which they just shut down and replaced with Elemental MediaConvert is almost certainly just managed "ffmpeg as a Service" under the hood.
88. bigiain ◴[12 Nov 25 03:57 UTC] No.45896236{9}[source]
I reckon this is an impedance mismatch between "Open Source Advocacy" and Open Source as a programming hobby/lifestyle/itch-to-scratch that drives people to write and release code as Open Source (of whatever flavour they choose, even if FSS and/or OSF don't consider that license to qualify as "Open Source").

I think Stallmann's ideological "allowing users to run, modify, and share the software without restrictions" stance is good, but I think for me at least that should apply to "users" as human persons, and doesn't necessarily apply to "corporate personhood" and other non-human "users". I don't see a good way to make that distinction work in practice, but I think it's something that if going to become more and more problematic as time goes on, and LLM slop contributions and bug reports somehow feed into this too.

I was watching MongoDB and Redis Labs experiments with non-OSF approved licences clearly targeted at AWS "abusing" those projects, but sadly neither of those cases seemed to work out in the long term. Also sadly, I do not have any suggestions of how to help...

89. bigiain ◴[12 Nov 25 04:01 UTC] No.45896263{4}[source]
" ... and it can do insane stuff"

That's a pretty good indicator it's likely just ffmpeg in an AWS Hoodie/Trenchcoat.

90. bigiain ◴[12 Nov 25 04:08 UTC] No.45896300{4}[source]
Hmmmm. There's probably just one guy who wrote the ffmpeg code for that format. _Maybe_ one or two more who contributed fixes or enhancements?

The ffmpeg project need to get in touch and get then to assign copyright to the ffmpeg project, then delete that format/decoder from ffmpeg. Then go back to Google with an offer to licence then a commercial version of ffmpeg with the fixed SANM ANIM v0 decoder, for the low low price of only 0.0001% of YouTube's revenue every year. That'd likely make them the best funded open source project ever, if they pulled it off.

91. bigiain ◴[12 Nov 25 04:15 UTC] No.45896321{7}[source]
That behaviour is indeed totally unacceptable. At your job. Where they're paying you, and especially if they're paying you at FAANG type pay scales.

If you're an unpaid volunteer? Yeah - nah. They can tell you "Sorry, I'm playing with my cat for the next 3 months, maybe I'll get to it after that?", or just "Fuck off, I don't care."

(I'm now playing out a revenge fantasy in my head where the ffmpeg team does nothing, and Facebook or Palantir or someone similar get _deeply_ hacked via the exploit Google published and theat starts the planets biggest ever pointless lawyers-chasing-the-deepest-pockets fight.)

replies(1): >>45898014 #
92. Aurornis ◴[12 Nov 25 04:20 UTC] No.45896339[source]
> Unfortunately, in my experience, there's often a lot of barriers within companies to upstream. Reasons can be everything from compliance, processes, you name it... It's unfortunate.

I’ve been at several companies where upstreaming was encouraged for everything. The fewer internal forks we could maintain, the better.

What surprised me was how many obstacles we’d run into in some of the upstream projects. The amount of time we lost to trying to appease a few maintainers who were never happy with code unless they wrote it themselves was mind boggling.

For some projects you can basically forget about upstreaming anything other than an obvious and urgent bug fix because the barriers can be so high.

replies(3): >>45897333 #>>45903363 #>>45903441 #
93. bigiain ◴[12 Nov 25 04:26 UTC] No.45896368{7}[source]
> But "everyone else down stream of us should compile out our security hole" is a terrible way to go about things.

Is that somehow _less_ of a terrible way to think than "someone who's contributed their time as a volunteer to an open source software project that we have come to rely on, now has some sort of an obligation to drop everything and do more unpaid work for a trillion dollar company"?

> it really needs to be fixed in the up stream

Lots of people love using "Free Software" that they didn't have to write as essential parts of their business.

Way too many of them seem to blink right when they get to this bit of the licence they got it with:

SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

(That's directly from Section 15 "NO WARRANTY of https://code.ffmpeg.org/FFmpeg/FFmpeg/src/branch/release/4.0... )

replies(1): >>45897276 #
94. bigiain ◴[12 Nov 25 04:32 UTC] No.45896399{6}[source]
> Google has been running all sorts of fuzzers against ffmpeg for over a decade at this point

Yeah. It's called YouTube... Why run fuzzers if you can get people to upload a few million random videos every day? ;-)

(I wonder if the BigSleep AI was trained on or prompted with YouTube error logs?)

95. godelski ◴[12 Nov 25 04:50 UTC] No.45896464{5}[source]

  > If you used the scan to pdf functionality of a [Xerox] like this a decade ago, your PDF likely had a JBIG2 stream in it.
That's not an obscure format, that's an old format. Meanwhile with ffmpeg we're talking about

  > decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.
That's both old and obscure.

Your point is still taken, but just to clarify that these are different situations. JBIG2 is included for legacy. The Lucas art codec is included for... completion's sake(?)

replies(1): >>45901192 #
96. deaddodo ◴[12 Nov 25 05:10 UTC] No.45896581{6}[source]
No one said make it proprietary; there are other OSS licenses that would make ffmpeg non-viable for commercial usage.
replies(1): >>45901812 #
97. deaddodo ◴[12 Nov 25 05:16 UTC] No.45896612{6}[source]
Google, AWS, Vimeo, etc can demand all they want. But they’re just another voice without any incentives that aid the project. If they find having an in-house ffmpeg focused on their needs to be preferable, go for it; that’s OSS.

But given its license, they’re going to have to reveal those changes anyways (since many of the most common codecs trigger the GPL over LGPL clause of the license) or rewrite a significant chunk of the library.

98. ◴[12 Nov 25 05:19 UTC] No.45896629[source]
99. linuxhansl ◴[12 Nov 25 05:29 UTC] No.45896674[source]
> Unfortunately, in my experience, there's often a lot of barriers within companies to upstream. Reasons can be everything from compliance, processes, you name it...

True. In my case I literally had to fight for it. Our lawyers were worried about a weakened patent portfolio and whatnot. In my case at least I won and now we have a culture of upstreaming changes. So don't give up the fight, you might win.

100. fulafel ◴[12 Nov 25 05:45 UTC] No.45896738{9}[source]
They can if someone manages to develop an exploit. Let's not confuse vulnerabilities and exploits.
replies(1): >>45898277 #
101. koolala ◴[12 Nov 25 05:46 UTC] No.45896743{3}[source]
They totally broke CSGO Legacy's code to push its sequel CS2 and won't accept fixes for it because it's 'not being supported'.
replies(1): >>45897130 #
102. KingMob ◴[12 Nov 25 05:55 UTC] No.45896787{8}[source]
I like FS, but it's always had kind of nebulous morality, though. It lumps in humans with companies, which cannot have morals, under the blanket term "users".

This is the same tortured logic as Citizens United and Santa Clara Co vs Southern Pacific Railroad, but applied to FS freedoms instead of corporate personhood and the 1st Amendment.

I like the FS' freedoms, but I favor economic justice more, and existing FS licenses don't support that well in the 21st c. This is why we get articles like this every month about deep-pocketed corporate free riders.

replies(1): >>45897275 #
103. aydyn ◴[12 Nov 25 05:55 UTC] No.45896791{5}[source]
But that's only relevant if AWS (in this example) violates the GPL license, and it doesn't really seem like they have?
104. lodovic ◴[12 Nov 25 05:55 UTC] No.45896793{4}[source]
Can't you just give the information you are hinting at? Other people than OP read this. You basically tell me to go read thousands of messages on a mailing list just solve your rhetorical question. (answer: Intel, Redhat, Meta, Google, Suse, Arm and Oracle. There are much more efficient ways to find this.) Yes, they are the main kernel contributors and have been for many years. I'm still not sure I understand the comment.
replies(3): >>45897402 #>>45897764 #>>45898199 #
105. mmooss ◴[12 Nov 25 06:15 UTC] No.45896892{3}[source]
Why would they invest resources - scarce, expensive time of attorneys - in researching and solving this problem? The attorneys' job is to help the company profit, to maximize ROI for legal work. Where is the ROI here? And remember, just positive ROI is unacceptable; they want maximum ROI per hour worked. When the CEO asks them how this project maximized ROI, what do they say?

I believe in FOSS and can make an argument that lots of people on HN will accept, but many outside this context will not understand it or care.

replies(1): >>45896982 #
106. dgunay ◴[12 Nov 25 06:16 UTC] No.45896897{5}[source]
Even at places that are permissive about hobby code, a company ought to want to put its name on open source contributions. These build awareness in the programming community of the company and can possibly serve as a channel for recruitment leads. But the (usually false) perception of legal risk and misguided ideas about what constitutes productivity usually sink any attempts.
replies(1): >>45898079 #
107. meekins ◴[12 Nov 25 06:24 UTC] No.45896939{5}[source]
This is what I've done in those rare cases I've had to fix a bug in a tool or a library I've used professionally. I've also made sure to do that using online identities with no connection to my employer so that any small positive publicity for the contribution lands on my own CV instead of the bureaucratic company getting the bragging rights.
108. grumbelbart2 ◴[12 Nov 25 06:31 UTC] No.45896982{4}[source]
If you fixed something in an open source library you use, and you don't push that upstream, you are bound to re-apply that patch with every library update you do. And today's compliance rules require you to essentially keep all libraries up to date all the time, or your CVE scanners will light up. So fixing this upstream in the original project has a measurable impact on your "time spent on compliance and updates KPI".
replies(2): >>45897282 #>>45898817 #
109. Root_Denied ◴[12 Nov 25 06:39 UTC] No.45897022{4}[source]
I'd say as a counterpoint that just because someone works at, say, Meta or Oracle, and also contributes to OSS projects, that doesn't equate to the company they work at funding upstream projects (at least not by itself).

I don't even have to link the xkcd comic because everyone already knows which one goes here.

replies(3): >>45897115 #>>45897291 #>>45898229 #
110. MYEUHD ◴[12 Nov 25 06:57 UTC] No.45897115{5}[source]
Well, if they use their work email, doesn't that mean their kernel work is endorsed by their employer?
111. socalgal2 ◴[12 Nov 25 06:58 UTC] No.45897121[source]
interesting, checking the git history of FFmpeg, google has approximately 643 contributions

    git clone https://git.ffmpeg.org/ffmpeg.git
    cd ffmpeg
    git log --pretty=format:"%ae" | grep -E "chromium\\.org|google\\.com" | wc -l
prints 643
112. testdelacc1 ◴[12 Nov 25 06:59 UTC] No.45897130{4}[source]
To be clear, both of those are closed source, proprietary games owned by Valve. It makes sense for them to want to consolidate their player base in one game.
113. monero-xmr ◴[12 Nov 25 07:10 UTC] No.45897191{3}[source]
Valve is so successful because it is a private company, and the CEO is the CTO and he is essentially the corporate equivalent of a religious monk. How else can you get 20+ years to slowly build a software business?

As a side note YC and tech startups themselves have become reality TV. Your goal should be Valve! You should be Gabe Newell! You don’t need to be famous! Just build something valuable and be patient

replies(3): >>45900077 #>>45900138 #>>45900679 #
114. Jweb_Guru ◴[12 Nov 25 07:24 UTC] No.45897267{5}[source]
The actual best response would be to run any "unsupported" codecs in a WASM sandbox. That way you are not throwing away work, Google can stop running fuzzers against random formats from 1995, and you can legitimately say that the worst that can happen with these formats is a process crash. Everybody wins.
115. spookie ◴[12 Nov 25 07:26 UTC] No.45897275{9}[source]
Agree in some ways. Still, discussing the nitty gritty is superfluous, the important underlying message you are making is more existential.

Open source software is critical infrastructure at this point. Maintainers should be helped out, at least by their largest users. If free riding continues, and maintainers' burden becomes too large, supply chain attacks are bound to happen.

116. tpmoney ◴[12 Nov 25 07:26 UTC] No.45897276{8}[source]
> someone who's contributed their time as a volunteer to an open source software project that we have come to rely on, now has some sort of an obligation to drop everything and do more unpaid work for a trillion dollar company

If you could highlight the relevant part of the bug report that demanded the developers "drop everything" and do "unpaid work for a trillion dollar company", that would be great because I'm having trouble finding it. I see "hey, we found this bug, we found where we think the issue is in the code and here's a minimal reproduction. Also FYI we've sent you this bug report privately, but we will also be filing a public bug report after 90 days." And no, I don't think having a policy of doing a private bug report followed by a public report some time later qualifies as a demand. They could have just made a public report from the get go. They could also have made a private report and then surprised them with a public bug report some arbitrary amount of time later. Giving someone a private heads up before filing a public bug report is a courtesy, not a demand.

And it's really funny to complain about Google expecting "unpaid work for a trillion dollar company", when the maintainers proudly proclaim that the likes of no less than Google ARE paying them for consulting work on ffmpeg[1][2][3]

[1]: https://fflabs.eu [2]: https://fflabs.eu/about/ [3]: https://ffmpeg.org/consulting.html

replies(1): >>45897734 #
117. mmooss ◴[12 Nov 25 07:27 UTC] No.45897282{5}[source]
That is a real benefit, I agree.
118. fweimer ◴[12 Nov 25 07:28 UTC] No.45897289{4}[source]
They can switch from LGPLv2.1 to GPLv2 or GPLv3 for future development because the license has an explicit provision for that.
119. izacus ◴[12 Nov 25 07:28 UTC] No.45897291{5}[source]
People don't use their company email addresses for private work.
replies(2): >>45899252 #>>45902321 #
120. troupo ◴[12 Nov 25 07:35 UTC] No.45897325{5}[source]
Twitch definitely. This whole brouhaha has been brewing for a while, and can be traced back to a spat between Theo and ffmpeg.

In the now deleted tweet Theo thrashed VLC codecs to which ffmpeg replied basically "send patches, but you wouldn't be able to". The reply to which was

--- start quote ---

https://x.com/theo/status/1952441894023389357

You clearly have no idea how much of my history was in ffmpeg. I built a ton of early twitch infra on top of yall.

--- end quote ---

This culminated in Theo offering a 20k bounty to ffmpeg if they remove the people running ffmpeg twitter account. Which prompted a lot of heated discussion.

So when Google Project Zero posted their bug... ffmpeg went understandably ballistic

121. maybewhenthesun ◴[12 Nov 25 07:37 UTC] No.45897333{3}[source]
While there's sometimes maintainer-prima-donna egos the contend with there's also this:

Any patch sent in also needs to be maintained into the future, and most of the time it's the maintainers that need to do that, not the people contributing the patch. Therefore any feature-patches (as opposed to simple bugfixes) are quite often refused, even if they add useful functionality, because the maintainers conclude they will not be able to maintain the functionality into the future (because no one on the maintaining team has experience in a certain field, for example).

The quality bar for a 'drive by patch' which is contributed without the promise of future support is ridiculously high and it has to be. Other peoples' code is always harder to maintain than your own so it has to make up for that in quality.

replies(1): >>45898087 #
122. ptman ◴[12 Nov 25 07:47 UTC] No.45897402{5}[source]
https://lwn.net/Articles/1038358/
123. subscribed ◴[12 Nov 25 07:50 UTC] No.45897416{4}[source]
One of my past employers in the UK added to the policy all the software the employee writes during the employment (eg. during the weekend, on the personal hardware), is owned by the company.

Several software engineers left, several didn't sign it.

Yes, company was very toxic apart of that. Yeah, I should name and shame but I won't be doxxing myself.

replies(1): >>45898141 #
124. skrebbel ◴[12 Nov 25 07:52 UTC] No.45897430{3}[source]
And? How does that give the ffmpeg authors a power over Amazon? (Hint: it doesn’t and the guy we’re discussing is spewing nonsense for maximum retweets)
125. rossant ◴[12 Nov 25 08:06 UTC] No.45897526{3}[source]
Is the idea that ffmpeg could change its license and wreak havoc?
126. ◴[12 Nov 25 08:31 UTC] No.45897721{7}[source]
127. etiennebausson ◴[12 Nov 25 08:32 UTC] No.45897734{9}[source]
Publicly posting an exploitable bug IS asking for someone to drop everything and come fix the issue NOW.
replies(1): >>45897938 #
128. Wowfunhappy ◴[12 Nov 25 08:37 UTC] No.45897764{5}[source]
I think GP answered as they did because there are so many examples it's hard to know where to start.

It's not entirely unlike if someone said "the only person I know writing books successfully is Brandon Sanderson." I do think "you ought to go check out your local book store" would be a valid response.

129. tpmoney ◴[12 Nov 25 09:02 UTC] No.45897938{10}[source]
So when someone finds a bug in software, in your mind the only acceptable options are:

1) Fix it yourself

2) Sit on it silently until the maintainers finally get some time to fix it

That seems crazy to me. For one, not everyone who discovers a bug can fix it themselves. But also a patch doesn't fix it until it's merged. If filing a public bug report is expecting the maintainers to "drop everything and do free labor" then certainly dropping an unexpected PR with new code that makes heretofore unseen changes to a claimed security vulnerability must surely be a much stronger demand that the maintainers "drop everything" and do the "free labor" of validating the bug, validating the patch, merging the patch etc etc etc. So if the maintainers don't have time to patch a bug from a highly detailed bug report, they probably don't have time to review an unexpected patch for the same. So then what? Does people sit on that bug silently until someone finally gets around to having the time to review the PR. Or are they allowed to go public with the PR even though that's far more clearly a "demand to drop everything and come fix the issue NOW".

I for one am quite happy the guy who found the XZ backdoor went public before a fix was in place. And if tomorrow someone discovers that all Debian 13 releases have a vulnerable SSH installation that allows root logins with the password `12345`, I frankly don't give a damn how overworked the SSH or Debian maintainers are, I want them to go public with that information too so the rest of us can shut off our Debian servers.

replies(2): >>45899277 #>>45900494 #
130. walletdrainer ◴[12 Nov 25 09:12 UTC] No.45898014{8}[source]
Or perhaps you’re a FAANG security researcher and your time will be better spent serving the OSS community as a whole by submitting as many useful bug reports as possible, instead of slightly fewer reports with patches included.

In this particular case it’s hardly obvious which patch you should submit. You could fix this particular bug (and leave in place the horrible clunky codec that nobody ever uses) OR you could just submit a patch that puts it behind a compile flag. This is really a decision for the maintainers, and submitting the latter (much better!) patch would not save the maintainers any meaningful amount of time anyway.

replies(1): >>45901594 #
131. whstl ◴[12 Nov 25 09:22 UTC] No.45898079{6}[source]
It is amazing how companies want this "marketing" but don't want to put the actual effort to make it possible.

A tech company I worked at once had a "sponsorship fund" to "sponsor causes" that employees wanted, it was actually good money but a drop in the bucket for a company. A lot of employees voted for sponsoring Vue.js, which is what we used. Eventually, after months of silence, legal/finance decided it was too much work.

But hey it wasn't an exception. The local animal shelter was the second most voted and legal/finance also couldn't figure it out how to donate.

In the end the money went to nowhere.

The only "developer marketing" they were doing was sending me in my free time to do panels with other developers in local universities and conferences. Of course it was unpaid, but in return I used it to get another job.

132. WesolyKubeczek ◴[12 Nov 25 09:23 UTC] No.45898087{4}[source]
Not any patch. Sometimes there are patches that are not explicitly fixing defects, but for example they surface a boolean setting that some upstream library started to expose. That setting is exactly like a dozen other settings already there. It's made using the same coding style and has all requisite things other settings have.

Will you be still making a fuss over it?

replies(1): >>45898320 #
133. pjc50 ◴[12 Nov 25 09:31 UTC] No.45898141{5}[source]
Many years ago an employer tried to to that and everyone .. just refused to sign the new contracts. The whole thing sat in standoff limbo for months until the dotcom crash happened and the issue became moot when we were all made redundant.
134. izacus ◴[12 Nov 25 09:40 UTC] No.45898199{5}[source]
No, "just" having to debunk BS from a BSer who lazily threw out misinformation is not the way to go. It's the BSer that needs to do more work.
135. surajrmal ◴[12 Nov 25 09:45 UTC] No.45898229{5}[source]
Everyone I know who contributes to Linux upstream is paid to do it. It's not really worth the hassle to bother trying if you weren't getting paid. It's also very easy to find companies that will pay you to work on Linux and upstream.
136. codedokode ◴[12 Nov 25 09:53 UTC] No.45898277{10}[source]
This bug might lead to vulnerability and that's enough. It makes no sense to waste lot of time and research whether it is possible or not - it is faster to remove the buggy codec nobody needs or make a fix.
137. surajrmal ◴[12 Nov 25 09:54 UTC] No.45898284{8}[source]
AI found the bug, but the analysis and bug report were entirely written by a human without AI assistance. Source: I work with the author.
138. josephg ◴[12 Nov 25 09:59 UTC] No.45898320{5}[source]
Maybe, it depends!

Maybe the developer intends to some day change the internal implementation, such that that particular boolean flag wouldn't make sense any more. Or they're considering taking out the option entirely, and thus simplifying the codebase by making it so it only works one way.

Maybe the developer just doesn't care about your use case. If I have a project that works fine for what I do with it, why should I also care about some other use case you have for my work? I'm not your employee. Your product doesn't put a roof over my head.

I don't want a job where I do free work, for a bunch of companies who all make money off my work. That's a bad deal. Its a bad deal even if my code gets better as a result. I have 150 projects on github. I don't want to be punished if any of those projects become popular.

We can't go around punishing projects like ffmpeg or ruby on rails for the crime of being useful.

replies(2): >>45899270 #>>45899295 #
139. surajrmal ◴[12 Nov 25 10:02 UTC] No.45898332[source]
A human at Google investigates all of the bugs fuzzers and AI find manually and manually writes bug reports for upstream with more analysis. They are certainly paid to do that. They are also paid to develop tooling to find bugs.

I'm not sure what you think you mean when you say "running AIs indiscriminately". It's quite expensive to run AI this way, so it needs to be done with very careful consideration.

140. poulpy123 ◴[12 Nov 25 10:03 UTC] No.45898338[source]
Nothing says solid industry better than having 3 majors product lines from a trillion dollar company depending of unpaid volunteer labor.
replies(1): >>45899071 #
141. josephg ◴[12 Nov 25 10:05 UTC] No.45898347{3}[source]
I don't know if it would work, but sometimes I consider a "moochers" rule wrt opensource code.

Like, here's the deal: The work is proper, legit opensource. You can use it for free, with no obligations.

But if your company makes a profit from it, you're expected to either donate money to the project or contribute code back in kind. (Eg security patches, bug fixes, or contribute your own opensource projects to the ecosystem, etc).

If you don't, all issues you raise and PRs get tagged with a special "moocher" status. They're automatically - by default - ignored or put in a low priority bin. If your employees attend any events, or join a community discord or anything like that, you get a "moocher" badge, so everyone can see that you're a parasite or you work for parasites. Thats ok; opensource licenses explicitly allow parasites. I'm sure you're a nice person. But we don't really welcome parasites in our social spaces, or allow parasites to take up extra time from the developers.

replies(1): >>45899064 #
142. preisschild ◴[12 Nov 25 10:30 UTC] No.45898528{6}[source]
ffmpeg is LGPL, so they can't make a proprietary fork anyways
143. ezconnect ◴[12 Nov 25 10:41 UTC] No.45898589{6}[source]
Walmart is a tech giant.
replies(1): >>45899773 #
144. cornonthecobra ◴[12 Nov 25 11:22 UTC] No.45898817{5}[source]
This touches on what I ended up telling them: maintaining a local patchset is expensive and fragile. Running customized versions of things is a self-inflicted compliance problem.

I still had to upstream anonymously, though.

145. rs186 ◴[12 Nov 25 11:35 UTC] No.45898904{3}[source]
Still doesn't make any sense.

The company that I work at makes sure anything that uses third-party library, whether in internal tools/shipped product/hosted product, goes through legal review. And you'd better comply with whatever the legal team asks you to do. Unless you and everyone around you are as dumb as a potato, you are not going to do things that blatantly violates licenses, like shipping a binary with modified but undisclosed GPL source code. And you can be sure that (1) it's hard to use anything GPL or LGPL in the first place (2) even if you are allowed to, someone will tell you to be extra careful and exactly do what you are told to (or not to)

And as long as Amazon is complying with ffmpeg's LGPL license, ffmpeg can't just stop licensing existing code via an email. Of course, unless there is some secret deal, but again, in that case, someone in the giant corporation will make sure you follow what's in the contract.

Basically, at company at Amazon where there are functional legal teams, the chance of someone "screwing up" is very small.

146. rs186 ◴[12 Nov 25 11:41 UTC] No.45898949{5}[source]
Heard of OpenSearch?

There are many reasons, often good ones, not to pay money for an open source project but instead fund your own projects, from a company's perspective.

147. rs186 ◴[12 Nov 25 11:43 UTC] No.45898966{7}[source]
Nobody said the fork cannot diverge from the original project.
148. Cthulhu_ ◴[12 Nov 25 11:55 UTC] No.45899056{3}[source]
It goes even further sometimes, I've seen someone in the Go community slack announce they are going to dial back their activity because of Very Serious Clauses in their Apple contract.

That seems to imply that Apple employees are prohibited from being good internet citizens and e.g. helping people out with any kind of software issue. This presumably includes contributing to open source, although I'm sure they can get approval for that. But the fact they have to get approval for it is already a chilling effect.

replies(1): >>45899665 #
149. cornonthecobra ◴[12 Nov 25 11:56 UTC] No.45899064{4}[source]
I've spent the last 32 years pushing every employer I've had to contribute back to open source. Because of the sector I work in, more often than not I'm constrained by incredibly tight NDAs.

I can usually stop short of providing code and file a bug that explains the replication case and how to fix it. I've taken patches and upstreamed them pseudonymously on my own time when the employer believed the GPL meant they couldn't own the modifications.

If after all that you still want to label me a moocher at cons, that's your choice.

replies(1): >>45899220 #
150. Cthulhu_ ◴[12 Nov 25 11:56 UTC] No.45899071[source]
I think if you look a bit deeper, all product lines from said trillion dollor company rely on open source to some degree. They should be spending hundreds of millions in sponsorship of OS projects. They should put the maintainers on their payroll. Not even reporting to a manager, just pay them a salary for their OS work.
replies(1): >>45901838 #
151. loodish ◴[12 Nov 25 12:14 UTC] No.45899217[source]
If you breach the LGPLv2/GPLv2 licence then you lose all rights to use the software.

There's no penalty clause, there's no recovery clause. If you don't comply with the licence conditions then you don't have a licence. If you don't have a licence then you can't use the program, any version of the program. And if your products depend on that program then you lose your products.

The theoretical email would be a notification that they had breached the licence and could no longer use the software. The obvious implication being that AWS was wanting to do something that went contrary to the restrictions in the GPL, and he was trying to convince them not to.

152. seb1204 ◴[12 Nov 25 12:14 UTC] No.45899220{5}[source]
You can wear your secret cape with pride, don't worry about the moocher badge.
153. seb1204 ◴[12 Nov 25 12:18 UTC] No.45899252{6}[source]
Linus does...
154. masto ◴[12 Nov 25 12:19 UTC] No.45899267{3}[source]
I found a tiny bug in a library. A single, trivial, “the docs say this utility function does X, but it actually does Y”. I’m not even allowed to file a bug report. It took me some time to figure out how to even ask for permission, and they referred it to some committee where it’s in limbo.
155. WesolyKubeczek ◴[12 Nov 25 12:20 UTC] No.45899270{6}[source]
I don't know.

The pattern I have seen is that if you want to contribute a fix into a project, you are expected to "engage with the community", wear their badge, invest into the whole thing. I don't want to be in your community, I want to fix a bug in a thing I'm using and go on with my life.

Given the usual dynamics of online communities which are getting somehow increasingly more prone to dramas, toxicity, tribalism, and polarization, I just as increasingly want to have no part in them most of the time.

I think many projects would be better for having a lane for drive-by contributors who could work on fixing bugs that prevent their day-to-day from working without expectations of becoming full-time engaged. The project could set an expectation that "we will rewrite your patch as we see fit so we could integrate and maintain it, if we need/want to". I wouldn't care as long as the problem is taken care of in some way.

replies(2): >>45899641 #>>45900482 #
156. etiennebausson ◴[12 Nov 25 12:20 UTC] No.45899277{11}[source]
xz was a fundamentally different problem, it was code that had been maliciously introduced to a widespread library and the corrupted version was in the process of being deployed to multiple distributions. The clock was very much ticking.
replies(1): >>45908225 #
157. WesolyKubeczek ◴[12 Nov 25 12:23 UTC] No.45899295{6}[source]
> Maybe the developer just doesn't care about your use case. If I have a project that works fine for what I do with it, why should I also care about some other use case you have for my work?

Then say you don't expect contributions at all. That's a fair game, I'm ok with it. I will then exercise my rights granted by your license in another way (forking and making my own fix most likely). My gripe is with projects that write prominently "PRs welcome", and then make enough red tape to signal that nah, not really.

158. fukka42 ◴[12 Nov 25 13:04 UTC] No.45899641{7}[source]
Being allowed to contribute to open source is a privilege, not a right.

You could also just pay for it.

replies(2): >>45901447 #>>45901580 #
159. fukka42 ◴[12 Nov 25 13:06 UTC] No.45899665{4}[source]
Apple? Not interested in being a good internet citizen? Say it ain't so!
160. roryirvine ◴[12 Nov 25 13:18 UTC] No.45899773{7}[source]
FWIW, when working at a major Silicon Valley tech company in the mid 2010s, my team made significant contributions to OSS projects including OpenStack and the Linux kernel as a core part of our work for Walmart.

The work to upstream our changes was included in the Statements of Work which Walmart signed off on, and our time spent on those efforts was billed to them.

The stats for those projects will have recorded my former employer as the direct source of those contributions - but they wouldn't have existed had it not been for Walmart.

161. eptcyka ◴[12 Nov 25 13:41 UTC] No.45900051{4}[source]
Oh the irony - we don't want to pay for ffmpeg's development, but sure can finance a fork if we have to.
162. fao_ ◴[12 Nov 25 13:44 UTC] No.45900077{4}[source]
> How else can you get 20+ years to slowly build a software business?

It used to be normal to build a business slowly over 20 years. Now everyone grabs for the venture capital, grows so fast they almost burst, and the venture capital inevitably ends in enshittification as companies are forced by shareholders to go against their business model and shit over their customers in order to generate exponential profit margins.

163. red-iron-pine ◴[12 Nov 25 13:45 UTC] No.45900101{3}[source]
WINE was a thing for years and generally worked okay for a lot of things.

I was playing Fallout 3 on WINE well before Valve got involved with minimal tweaks or DIY effort.

Proton with Steam works flawlessly for most things including AAA games like RDR2 and it's great, but don't forget that WINE was out there making it work for a while

replies(2): >>45900418 #>>45902118 #
164. red-iron-pine ◴[12 Nov 25 13:49 UTC] No.45900138{4}[source]
Steam is the most dominant game tool on the planet and landed when there was not yet a market for it. Very few other projects will get to the level of success it has in any sector, anywhere.

GabeN was also a MS developer back in the day and likely would have been well off regardless, but he didn't need to play the YC A-B-let's-shoehorn-AI bullshit games that are 100% de rigeour for all startups in 2025.

replies(1): >>45900747 #
165. indolering ◴[12 Nov 25 13:50 UTC] No.45900153{3}[source]
WINE, CodeWeavers, Mesa, Red Hat, and plenty of others have been pumping money into the Linux graphics subsystems for a very long time. It's cool that Valve was able to use its considerable wealth to build a business off of it. But they came in at a pretty opportune time.

Windows support had gotten a boost from .NET going open source as well as other stuff MS began to relax about. It also helped that OpenGL was put to rest and there was a new graphics API that could reasonably emulate DirectX. I don't know much about the backstory of Mesa, but it's pretty cool tech that has been developing for a long time.

166. red-iron-pine ◴[12 Nov 25 13:50 UTC] No.45900163{7}[source]
too bad UnitedHealthGroup is capital-E Evil and is literally running the "death panels" that insane right wing propaganda tried to scare us about
replies(1): >>45900695 #
167. ◴[12 Nov 25 14:08 UTC] No.45900369{4}[source]
168. bayindirh ◴[12 Nov 25 14:11 UTC] No.45900418{4}[source]
> WINE was a thing for years and generally worked okay for a lot of things.

Yes, but Valve's involvement handled "the last 10% takes the 90% of the time" part of WINE, and that's a great impact, IMHO.

Trivia: I remember WINE guys laughing at WMF cursor exploit, then finding the exploit works on WINE too and fix it in panic, and then bragging bug-for-bug compatibility with Windows. It was hilarious.

Also, WINE allowed Linux systems to be carrier for Windows USB flash drive virii without being affected by them for many years.

169. maybewhenthesun ◴[12 Nov 25 14:17 UTC] No.45900482{7}[source]
In my experience simple bugfixes are nearly always accepted without fuss (in active projects, that is. Some project in maintenance mode where the last commit was 3 months ago is a different story, because then probably just no-one can be arsed to look at the patch).

Some simple setting expose like you describe can sometimes go in without a fuss or it can stall, that depends on a lot of factors. Like the other reply states: it could go against future plans. Or it could be difficult for the maintainer to see the ramifications of a simple looking change. It sucks that it is that way (I have sent in a few patches for obscure CUPS bugs which have stayed in limbo, so I know the feeling ;-) ) but it is hardly surprising. From a project's point of view drive-by patches very often cost more than they add so to get something included you often need to do a very thorough writeup as for why something is a good idea.

> I just as increasingly want to have no part in them most of the time. If all people you meet are assholes.... ;-P Not to say you are an asshole, or at least not more than most people, but I have been in this situation myself more than once, and it really pays to stay (overly) polite and not let your annoyance about being brushed off slip through the mask. The text-only nature of these kind of communications are very sensitive to misinterpretations and annoyances.

It would be nice if all you'd need for a patch to be included somewhere was for it to be useful. But alas there's a certain amount of social engineering needed as well. And imho this has always been the case. If you feel it gets increasingly hostile that's probably your own developer burnout speaking (by do I know that one :-P )

170. naasking ◴[12 Nov 25 14:18 UTC] No.45900494{11}[source]
Responsible disclosure policies for contributor-driven projects can differ from commercial projects. Also, if Google has the funds to pay for bug finding, they also have the funds for bug fixing the community projects they depend on.
replies(1): >>45908242 #
171. mikkupikku ◴[12 Nov 25 14:32 UTC] No.45900679{4}[source]
Ironically, Gabe is more famous than the rest of whoever you're talking about, not because he seeks fame but just because he generally does right by his customers and makes himself accessible. Telling gamers to email him with questions, concerns, comments, anything, and then actually responding. Even though he's apparently spending most of his time hanging out on yachts, people love him because he makes an effort to be tuned in to what his customers want. If you do that, you'll be famous in a better way than what you can get from reality TV.
172. nradov ◴[12 Nov 25 14:33 UTC] No.45900695{8}[source]
What a lot of people don't realize is that it's mostly employer HR departments running the "death panels". UHG and its competitors would be happy to sell insurance policies that cover absolutely everything with no questions asked: this would be easier for them to administer without the hassles of utilization management and claim edits. But customers — mainly large employers — demand that insurers (or third-party administrators) impose more restrictive coverage rules in order to hold down medical costs.

Ultimately there will always be some healthcare rationing. This happens in every country. For example, the UK NHS has death panels which decide that certain treatments won't be covered at all because they're not cost effective. Resources are limited and demand is effectively infinite. So the only real question is how we do the rationing.

173. mikkupikku ◴[12 Nov 25 14:37 UTC] No.45900747{5}[source]
From what I understand, Gabe/Valve almost went bust during Half Life's development. His gamble paid off when that turned into a runaway success, but he still could have lost it when he bet again on HL2 and Steam; at the time it was extremely controversial to make those a package deal. If Half Life 2 had been not quite as good as it turned out to be, it could have turned out to be a studio with a one hit wonder that burned their goodwill with some sketchy DRM sort of scheme on their second game.
174. Wowfunhappy ◴[12 Nov 25 14:43 UTC] No.45900831{7}[source]
Here’s where I’m coming from: it would really suck if the outcome of all this was for ffmpeg to drop support for niche codecs.

It may be the case that ffmpeg cannot reasonably support every format while maintaining the same level of security. In that case, it makes sense for distros to disable some formats by default. I still think it’s great that they’re supported by the ffmpeg project.

I agree there would probably need to be some unified guidance about which formats to enable.

175. adgjlsfhk1 ◴[12 Nov 25 15:12 UTC] No.45901192{6}[source]
The problem is that if you have a process using ffmpeg and an attacker feeds it a video with this codec, ffmpeg will proceed to auto-detect the codec, attempt to decrypt and then then break everything.

If the format is old and obscure, and the implementation is broken, it shouldn't be on by default.

replies(1): >>45905098 #
176. okayjustonemore ◴[12 Nov 25 15:35 UTC] No.45901447{8}[source]
“Pay my way or take the highway” is as close to the closed-source ethos as you can possibly get. Collaboration is not feasible if the barrier of entry is too high and those involved make no effort to foster a collaborative environment.
177. WesolyKubeczek ◴[12 Nov 25 15:46 UTC] No.45901580{8}[source]
Thanks, I prefer that job where I am paid for writing code, not having to pay to write code.
178. Wowfunhappy ◴[12 Nov 25 15:47 UTC] No.45901594{9}[source]
I don’t understand how it helps the community to publicly release instructions for attacking people, unless you’re trying to incentivize a company to fix their crap. In this case, there is no company to incentivize, so just report it privately.

You can say publicly that “there is an ABC class vulnerability in XYZ component” so that users are aware of the risk.

replies(1): >>45902125 #
179. jlarocco ◴[12 Nov 25 15:50 UTC] No.45901635[source]
> Unfortunately, in my experience, there's often a lot of barriers within companies to upstream. Reasons can be everything from compliance, processes, you name it... It's unfortunate.

I sympathize and understand those issues for small companies, but after a certain size those excuses stop being convincing.

Especially for a software company like Google who runs dozens of open source projects, employs an army of lawyers to monitor compliance, and surely has to deal with those issues on a daily basis anyway.

At some point there needs to be pushback. Companies get a huge amount of value from hobbiest open source projects, and eventually they need to start helping out or be told to go away.

180. astrange ◴[12 Nov 25 16:03 UTC] No.45901812{7}[source]
You need a copyright grant to change the license in any way.
replies(1): >>45904108 #
181. chanux ◴[12 Nov 25 16:05 UTC] No.45901838{3}[source]
I have a feeling that if they do this, the economy would be hurt (somehow).

None of us want the economy to be hurt, right?

replies(1): >>45904902 #
182. lokar ◴[12 Nov 25 16:12 UTC] No.45901926{6}[source]
Anyone running this code with untrusted input needs to sandbox it (which Google has been doing all along).
183. xxs ◴[12 Nov 25 16:14 UTC] No.45901951{5}[source]
They can't - it's LGPL 2.1. So the fork would be public essentially.
184. jrm4 ◴[12 Nov 25 16:28 UTC] No.45902118{4}[source]
But this is a perfect example of one of those "90/10" esque ideas.

Even if Wine was 90% there technologically, the most important 90% is really that last 10.

185. walletdrainer ◴[12 Nov 25 16:29 UTC] No.45902125{10}[source]
It’s OSS so somebody who cares will fix it, and if nobody cares then it doesn’t really matter.

This also informs users that it’s not safe to use ffmpeg or software derived from it to open untrusted files, and perhaps most importantly releasing this tells the distro package maintainers to disable the particular codec when packaging.

replies(1): >>45904123 #
186. OkayPhysicist ◴[12 Nov 25 16:43 UTC] No.45902318[source]
This is why all open source software should be copyleft. No discussion to be had: either you upstream changes, or that open source developer's going to get funded via the courts.
187. flymasterv ◴[12 Nov 25 16:43 UTC] No.45902321{6}[source]
At GOOG you’re required to, by policy.
188. amarant ◴[12 Nov 25 17:08 UTC] No.45902666{3}[source]
My team lead once approved me upstreaming some changes to a open source project, so long as I did it using my private account.

Basically I got to do the work on company time&dime, but I couldn't give my employer credit, due to this kind of legal red tape.

I liked that teamlead

189. bjourne ◴[12 Nov 25 17:31 UTC] No.45902990[source]
Finding the bug is 95% of the effort. The idea that reporting obscure security bugs is worthless is BS.
190. illuminator83 ◴[12 Nov 25 17:31 UTC] No.45903000{7}[source]
It's the tragedy of the commons all over again. You can see it in action everywhere people or communities should cooperate for the common good but don’t. Because many either fear being taken advantage of or quietly try to exploit the situation for their own gain.
replies(1): >>45904013 #
191. ◴[12 Nov 25 17:57 UTC] No.45903363{3}[source]
192. kazinator ◴[12 Nov 25 18:02 UTC] No.45903441{3}[source]
> The amount of time we lost to trying to appease a few maintainers who were never happy with code unless they wrote it themselves was mind boggling.

That brings us full circle to the topic because one important thing that gets people motivated into accepting other people's changes to their code is being paid.

If you work in FOSS side projects as well as a proprietary day job, you know it: you accept changes at work that you wouldn't in those side projects.

In the first place, you write the code in ways you wouldn't due to conventions you disagree with, in some crap language you wouldn't use voluntarily, and so it geos.

People working on their own FOSS project want everything their way, because that's one of the benefits of working on your own FOSS project.

193. AnthonyMouse ◴[12 Nov 25 18:37 UTC] No.45904013{8}[source]
The tragedy of the commons is actually something else. The problem there comes from one of two things.

The first is that you have a shared finite resource, the classic example being a field for grazing which can only support so many cattle. Everyone then has the incentive to graze their cattle there and over-graze the field until it's a barren cloud of dust because you might as well get what you can before it's gone. But that doesn't apply to software because it's not a finite resource. "He who lights his taper at mine, receives light without darkening me."

The second is that you're trying to produce an infinite resource, and then everybody wants somebody else to do it. This is the one that nominally applies to software, but only if you weren't already doing it for yourself! If you can justify the effort based only on your own usage then you don't lose anything by letting everyone else use it, and moreover you have something to gain, both because it builds goodwill and encourages reciprocity, and because most software has a network effect so you're better off if other people are using the same version you are. It also makes it so the effort you have to justify is only making some incremental improvement(s) to existing code instead of having to start from scratch or perpetually pay the ongoing maintenance costs of a private fork.

This is especially true if your company's business involves interacting with anything that even vaguely resembles a consolidated market, e.g. if your business is selling or leasing any kind of hardware. Because then you're in "Commoditize Your Complement" territory where you want the software to be a zero-margin fungible commodity instead of a consolidated market and you'd otherwise have a proprietary software company like Microsoft or Oracle extracting fees from you or competing with your hardware offering for the customer's finite total spend.

194. astrange ◴[12 Nov 25 18:43 UTC] No.45904108{8}[source]
(Except for the part in the LGPL that lets you relicense it to later versions.)
195. Wowfunhappy ◴[12 Nov 25 18:44 UTC] No.45904123{11}[source]
Right, I just don’t see why they need to publish the actual exploit.
replies(1): >>45906665 #
196. estimator7292 ◴[12 Nov 25 19:23 UTC] No.45904902{4}[source]
That's what's going to happen when these corporations extract the last value from OSS and all the maintainers give up, so..
197. godelski ◴[12 Nov 25 19:33 UTC] No.45905098{7}[source]
Sorry, I probably wasn't clear enough in my comment. I was trying to say that being old gives some legitimacy for existing. Just because it is old doesn't mean it isn't used. Though yes, this should be better determined to make sure it isn't breaking workflows you don't know about.

But old AND obscure, well it's nice that it is supported but enabled by default? Fully with you there.

198. commandersaki ◴[12 Nov 25 20:38 UTC] No.45906281[source]
If Google can pay someone to find bugs, they can pay someone to fix them.

Sounds like they'll just throw their employees to work on it rather than monetarily fund it, that way they can aura farm.

199. walletdrainer ◴[12 Nov 25 21:05 UTC] No.45906665{12}[source]
They have not, neither have they indicated that they’re planning to do so.
200. tpmoney ◴[12 Nov 25 23:11 UTC] No.45908225{12}[source]
The clock is always ticking. You have no idea when you find a vulnerability who knows about it or how or whether it is currently being actively exploited. A choice to delay disclosure is a choice to take on the risk that the bug is being actively exploited in order to reduce the gap (and risk in that gap) between public disclosure and remediations being available. But critically, it is a risk that is being forced on the users of the software. They are unable to make an informed decision about accepting the risk because they don't know there is a risk. Public disclosure, sooner rather than later MUST be the goal of all bug reports, no matter how serious and no matter how overworked the maintainers.
201. tpmoney ◴[12 Nov 25 23:13 UTC] No.45908242{12}[source]
> Responsible disclosure policies for contributor-driven projects can differ from commercial projects.

The can, but there's not an obvious reason why they should. If anything, public disclosure timelines for commercial closed source projects should be much much longer than for contributor-driven projects because once a bug is public ANYONE can fix it in the contributor-driven project, where as for a commercial project, you're entirely at the mercy of the commercial entities timelines.

> Also, if Google has the funds to pay for bug finding, they also have the funds for bug fixing the community projects they depend on.

They do. And they do. They literally higher the ffmpeg maintainers via the maintainer's consulting business (fflabs.eu) and they routinely contribute code to the ffmpeg project.