FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)

1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]▶

I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.

replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #

Msurrow ◴[11 Nov 25 19:17 UTC] No.45891546[source]▶

>>45891454 #

In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days. The security issue should certainly be disclosed - when its responsible to do so.

Now, if Google or whoever really feels like fixing fast is so important, then they could very well contribute by submitting a patch along with their issue report.

Then everybody wins.

replies(3): >>45891625 #>>45891932 #>>45895660 #

1. derf_ ◴[11 Nov 25 19:50 UTC] No.45891932[source]▶

>>45891546 #

> ...then they could very well contribute by submitting a patch along with their issue report.

I don't want to discourage anyone from submitting patches, but that does not necessarily remove all (or even the bulk of) the work from the maintainers. As someone who has received numerous patches to multimedia libraries from security researchers, they still need review, they often have to be rewritten, and most importantly, the issue must be understood by someone with the appropriate domain knowledge and context to know if the patch merely papers over the symptoms or resolves the underlying issue, whether the solution breaks anything else, and whether or not there might be more, similar issues lurking. It is hard for someone not deeply involved in the project to do all of those things.

↑