Most active commenters
  • HDThoreaun(5)
  • necovek(4)
  • saagarjha(4)
  • tpmoney(3)

←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 24 comments | 11 Nov 25 18:32 UTC | HN request time: 3.45s | source | bottom
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
Msurrow ◴[11 Nov 25 19:22 UTC] No.45891613[source]
My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

replies(5): >>45891699 #>>45891755 #>>45891844 #>>45893088 #>>45898343 #
1. jsnell ◴[11 Nov 25 19:42 UTC] No.45891844[source]
> My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

That is not an accurate description? Project Zero was using a 90 day disclosure policy from the start, so for over a decade.

What changed[0] in 2025 is that they disclose earlier than 90 days that there is an issue, but not what the issue is. And actually, from [1] it does not look like that trial policy was applied to ffmpeg.

> To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

You clearly know that no actual demands or even requests for a fix were made, hence the scare quotes. But given you know it, why call it a "demand"?

[0] https://googleprojectzero.blogspot.com/2025/07/reporting-tra..., discussed at https://news.ycombinator.com/item?id=44724287

[1] https://googleprojectzero.blogspot.com/p/reporting-transpare...

replies(3): >>45892863 #>>45893014 #>>45894463 #
2. joemi ◴[11 Nov 25 21:07 UTC] No.45892863[source]
The fact that details of the issue _will_ be disclosed publicly is an implicit threat. Sure it's not an explicit threat, but it's definitely an implicit threat. So the demand, too, is implicit: fix this before we disclose publicly, or else your vulnerability will be public knowledge.
replies(1): >>45895826 #
3. necovek ◴[11 Nov 25 21:19 UTC] No.45893014[source]
When you publicize a vulnerability you know someone doesn't have the capacity to fix according to the requested timeline, you are simultaneously increasing the visibility of the vulnerability and name-calling the maintainers. All of this increases the pressure on the maintainers, and it's fair to call that a "demand" (quotes-included). Note that we are talking about humans who will only have their motivation dwindle: it's easy to say that they should be thick-skinned and ignore issues they can't objectively fix in a timely manner, but it's demoralizing to be called out like that when everyone knows you can't do it, and you are generally doing your best.

It's similar to someone cooking a meal for you, and you go on and complain about every little thing that could have been better instead of at least saying "thank you"!

Here, Google is doing the responsible work of reporting vulnerabilities. But any company productizing ffmpeg usage (Google included) should sponsor a security team to resolve issues in high profile projects like these too.

Sure, the problem is that Google is a behemoth and their internal org structure does not cater to this scenario, but this is what the complaint is about: make your internal teams do the right thing by both reporting, but also helping fix the issue with hands-on work. Who'd argue against halving their vulnerability finding budget and using the other half to fund a security team that fixes highest priority vulnerabilities instead?

replies(2): >>45893352 #>>45895431 #
4. jsnell ◴[11 Nov 25 21:49 UTC] No.45893352[source]
> When you publicize a vulnerability you know someone doesn't have the capacity to fix according to the requested timeline

My understanding is that the bug in question was fixed about 100 times faster than Project Zero's standard disclosure timeline. I don't know what vulnerability report your scenario is referring to, but it certainly is not this one.

> and name-calling the maintainers

Except Google did not "name-call the maintainers" or anything even remotely resembling that. You just made it up, just like GP made up the the "demands". It's pretty telling that all these supposed misdeeds are just total fabrications.

replies(1): >>45896773 #
5. HDThoreaun ◴[11 Nov 25 23:45 UTC] No.45894463[source]
Publishing the vulnerability is a demand to fix it. It threatens to cause harm to the reputation of the maintainer if left unfixed.
replies(1): >>45894785 #
6. ikiris ◴[12 Nov 25 00:22 UTC] No.45894785[source]
No, publishing the vulnerability is the right thing to do for a secure world because anyone can find this stuff including nation states that weaponize it. This is a public service. Giving the dev a 90 day pre warn is a courtesy.

Expecting a reporter to fix your security vulnerabilities for you is entitlement.

If your reputation is harmed by your vulnerable software, then fix the bugs. They didn’t create the hazzard they discovered it. You created it, and acting like you’re entitled to the free labor of those that gave you the heads up is insane, and trying to extort them for their labor is even worse.

replies(1): >>45895156 #
7. HDThoreaun ◴[12 Nov 25 01:01 UTC] No.45895156{3}[source]
This is all true(maybe not the extortion being worse hard to say), but it doesnt change the fact that publishing the CVE is a demand to fix it.
replies(3): >>45895837 #>>45896003 #>>45898211 #
8. tpmoney ◴[12 Nov 25 01:41 UTC] No.45895431[source]
> When you publicize a vulnerability you know someone doesn't have the capacity to fix according to the requested timeline, you are simultaneously increasing the visibility of the vulnerability and name-calling the maintainers.

So how long should all bug reporters wait before filing public bugs against open source projects? What about closed source projects? Anyone who works in software knows to ship software is to always have way more things to do than time to do it in. By this logic, we should never make bug reports public until the software maintainers (whether OSS, Apple or Microsoft) has a fix ready. Instead of "with enough eyeballs, all bugs are shallow" the new policy going forward I guess will be "with enough blindfolds, all bugs are low priority".

replies(1): >>45896789 #
9. saagarjha ◴[12 Nov 25 02:40 UTC] No.45895826[source]
You should not be threatened by the fact that your software has security holes in it being made public knowledge. If you are, then your goals are fundamentally misaligned with making secure software.
10. saagarjha ◴[12 Nov 25 02:41 UTC] No.45895837{4}[source]
No, it is a request to fix it. How the maintainer feels about it is up to them.
replies(1): >>45896089 #
11. ikiris ◴[12 Nov 25 03:07 UTC] No.45896003{4}[source]
No, it is a notice to others that your software as-is is insecure in some way. The pre notice is again a courtesy if you want to fix it.

What you do with the notice as a dev is up to you, but responsible ones would fix it without throwing a tantrum.

Devs need to stop thinking of themselves as the main character and things get a lot more reasonable.

12. HDThoreaun ◴[12 Nov 25 03:25 UTC] No.45896089{5}[source]
A request to fix it would be privately telling the maintainers about the issue. Publicly releasing it is a demand.
replies(1): >>45896476 #
13. saagarjha ◴[12 Nov 25 04:51 UTC] No.45896476{6}[source]
This is not how filing issues against open source software works.
replies(1): >>45896732 #
14. HDThoreaun ◴[12 Nov 25 05:43 UTC] No.45896732{7}[source]
You dont get to decide that lmao. Telling everyone this project doesnt care about security if they ignore my CVE is obviously a demand and your traditions can not change that
replies(2): >>45898344 #>>45898428 #
15. necovek ◴[12 Nov 25 05:52 UTC] No.45896773{3}[source]
"When you publicize... you are ... name-calling": you are taking partial quotes out of context, where I claimed that publicizing is effectively doing something else.
16. necovek ◴[12 Nov 25 05:55 UTC] No.45896789{3}[source]
It's funny you come up with that suggestion when I clearly offer a different solution: "make your internal teams do the right thing by both reporting, but also helping fix the issue with hands-on work".

It's a call not to stop reporting, but to equally invest in fixing these.

replies(1): >>45897163 #
17. tpmoney ◴[12 Nov 25 07:06 UTC] No.45897163{4}[source]
Hands on work like filing a detailed bug report with suspected line numbers, reproduction code and likely causes? Look, I get it. It would be nice if Google had filed a patch with the bug. But also not every bug report is going to get a patch with it, nor should that be the sort of expectation we have. It's hard enough getting corporations to contribute time and resources to open source projects as it is, to set an expectation that the only acceptable corporate contribution to open source is full patches for any bug reports is just going to make it that much harder to get anything out of them.

In the end, Google does submit patches and code to ffmpeg, they also buy consulting from the ffmpeg maintainers. And here they did some security testing and filed a detailed and useful bug report. But because they didn't file a patch with the bug report, we're dragging them through the mud. And for what? When another corporation looks at what Google does do, and what the response this bug report has gotten them, which do you think is the most likely lesson learned?

1) "We should invest equally in reporting and patching bugs in our open source dependencies"

2) "We should shut the hell up and shouldn't tell anyone else about bugs and vulnerabilities we discover, because even if you regularly contribute patches and money to the project, that won't be good enough. Our name and reputation will get dragged for having the audacity to file a detailed bug report without also filing a patch."

replies(1): >>45899470 #
18. walletdrainer ◴[12 Nov 25 09:42 UTC] No.45898211{4}[source]
CVE!=vulnerability

These two terms are not interchangeable.

Most vulnerabilities never have CVEs issued.

19. Dylan16807 ◴[12 Nov 25 10:04 UTC] No.45898344{8}[source]
> Telling everyone this project doesnt care about security

Google did nothing like this.

If people infer that a hypothetical project doesn't care about security because they didn't fix anything, then they're right. It's not google's fault they're factually bad at security. Making someone look bad is not always a bad action.

Drawing attention to that decision by publicly reporting a bug is not a demand for what the decision will be. I could imagine malicious attention-getting but a bug report isn't it.

replies(1): >>45903096 #
20. saagarjha ◴[12 Nov 25 10:15 UTC] No.45898428{8}[source]
If the FFmpeg team does not want people to file bug reports, then they should close their public issue tracker. This is not something that I decided but a choice that they made.
21. necovek ◴[12 Nov 25 12:45 UTC] No.45899470{5}[source]
And if they choose 2), would they stop to consider what happens if everybody does that? What's their fallback plan once maintainers dump the project?

All I am saying is that you should be as mindful to open source maintainers as you are to the people at companies.

replies(1): >>45900438 #
22. tpmoney ◴[12 Nov 25 14:13 UTC] No.45900438{6}[source]
> would they stop to consider what happens if everybody does that?

It’s almost almost like bitching about the “free labor” open source projects are getting from their users, especially when that labor is of good quality and comes from a user that is actively contributing both code and money to the project is a losing strategy for open source fans and maintainers.

> All I am saying is that you should be as mindful to open source maintainers as you are to the people at companies.

And all I’m saying is there is nothing that’s “un-mindful” about reporting real bugs to an open source project, whether that report is public or not. And especially when that report is well crafted and actionable. If this report were for something that wasn’t a bug, is this report was a low quality “foo is broke, plz to fix” report with no actionable information, or if the report actually came with demands for responses and commitment timelines, then it would be a different matter. But ffmpeg runs a public bug tracker. To say then that making public bug reports is somehow disrespectful of the maintainers is ridiculous.

23. HDThoreaun ◴[12 Nov 25 17:38 UTC] No.45903096{9}[source]
Bullshit. That is exactly what google is doing. Demands aren’t necessarily malicious, but they’re certainly annoying for the person being demanded.
replies(1): >>45903788 #
24. Dylan16807 ◴[12 Nov 25 18:23 UTC] No.45903788{10}[source]
If merely publishing a bug they found, and doing nothing else, would qualify by your definition as "telling everyone this project doesn't care about security", then there is absolutely nothing wrong with doing that "telling".