Most active commenters

    ←back to thread

    FFmpeg to Google: Fund us or stop sending bugs

    (thenewstack.io)
    1125 points CrankyBear | 11 comments | 11 Nov 25 18:32 UTC | HN request time: 1.578s | source | bottom
    Show context
    pjmlp ◴[11 Nov 25 19:43 UTC] No.45891849[source]
    Fully on FFmpeg team side, many companies approach to FOSS is only doing so when it sounds good on their marketing karma, leech otherwise.

    Most of them would just pirate in the old days, and most FOSS licences give them clear conscience to behave as always.

    replies(2): >>45892276 #>>45892516 #
    1. PeaceTed ◴[11 Nov 25 20:18 UTC] No.45892276[source]
    This is why many have warned against things like MIT licence. Yes, it gives you source code and does easily get incorporated into a lot of projects but it comes at the cost of potential abuse.

    Yes, GPL 3 is a lot ideologically but it was trying to limit excessive leeching.

    Now that I have opened the flood gates of a 20 year old debate, time to walk away.

    replies(5): >>45892414 #>>45892921 #>>45894895 #>>45895234 #>>45895496 #
    2. esrauch ◴[11 Nov 25 20:29 UTC] No.45892414[source]
    Google Project Zero just looks for security issues in popular open source packages, regardless of if Google itself even uses those packages or not.

    So I'm not sure what GPLv3 really has to do with it in this case, if it under was a "No billion dollar company allowed" non-free-but-source-available license, this same thing would have happened if the project was popular enough for Project Zero to have looked at it for security issues.

    replies(1): >>45892524 #
    3. cestith ◴[11 Nov 25 20:40 UTC] No.45892524[source]
    The difference is that Google does use it, though. They use it heavily. All of us in the video industry do - Google, Amazon, Disney, Sony, Viacom, or whoever. Companies you may have never heard of build it into their solutions that are used by big networks and other streaming services, too.
    replies(1): >>45894464 #
    4. NegativeK ◴[11 Nov 25 21:12 UTC] No.45892921[source]
    AGPL, with no CLA that lets the owners relicense. Then we'll see if the using corporation fully believes in open source.

    There's a reason Google turned into year 2000 Microsoft "it's viral!" re. the AGPL. They're less able to ignore the intent of the license and lock away their changes.

    5. esrauch ◴[11 Nov 25 23:45 UTC] No.45894464{3}[source]
    Right, Google absolutely should fund ffmpeg.

    But opening security issues here is not related to that in any way. It's an obscure file format Google definitely doesn't use, the security issue is irrelevant to Google's usages of it.

    The critique would make sense if Google was asking for ffmpeg to implement something that Google wanted, instead of sending a patch. But they don't actually care about this one, they aren't actually asking for them to fix it for their benefit, they are sending a notice of a security issue that only affects people who are not Google to ffmpeg.

    replies(2): >>45897070 #>>45900476 #
    6. bigstrat2003 ◴[12 Nov 25 00:34 UTC] No.45894895[source]
    There is nothing whatsoever that the GPL would do to change this situation. Bringing up the permissive license debate is a non-sequitur here.
    7. EasyMark ◴[12 Nov 25 01:11 UTC] No.45895234[source]
    What in GPL3 or MIT mandates that Google fix this bug and submit a PR or simply sends a bug report and walks away? I don't see how this applies at all.
    8. tpmoney ◴[12 Nov 25 01:52 UTC] No.45895496[source]
    ffmpeg is already LGPL / GPLv2. How does the license choice factor into this at all?
    9. robocat ◴[12 Nov 25 06:46 UTC] No.45897070{4}[source]
    Google absolutely does fund ffmpeg via SPI.

    "and Google provided substantial donations to SPI's general fund".

    The amounts don't appear to be public (and what is enough!?)

    10. cestith ◴[12 Nov 25 14:16 UTC] No.45900476{4}[source]
    Opening a security issue is not the problem. A public disclosure so soon when there are so many machine-assisted reports for such obscure issues is the problem.

    If Google wants to force a faster turnaround on the fixes, they can send the reports with patches or they can pay for prioritization.

    replies(1): >>45901565 #
    11. jsnell ◴[12 Nov 25 15:44 UTC] No.45901565{5}[source]
    Three months is "soon"? What do you think is reasonable?

    And like so many posters in this thread, you seem to be under the impression that Google needed this fixed at some specific timeline. In reality the fix timeline, or even a total lack of a fix, makes no impact to them. They almost certainly already disable these kinds of codecs in their build. They reported this for the good of the ecosystem and the millions of users who were vulnerable.