FFmpeg to Google: Fund us or stop sending bugs

I understand ffmpeg being angry at the workload but this is how it is with large open source projects. Ffmpeg has no obligation to fix any of this. Open source is a gift and is provided as is. If Google demanded a fix I could see this being an issue. As it is right now it just seems like a bad look. If they wanted compensation then they should change the model, there's nothing wrong with that. Google found a bug, they reported it. If it's a valid bug then it's a valid bug end of story. Software owes it to its users to be secure, but again it's up to the maintainers if they also believe that. Maybe this pushes Google to make an alternative, which I'd be excited for.

>Ffmpeg has no obligation to fix any of this

I read this as nobody wants CVEs open on their product, so you might feel forced to fix them. I find it more understandable if we talk about web frameworks: Wordpress don't want security CVEs open for months or years, or users would be upset they introduce new features while neglecting safety.

I am a nobody, and whenever I found a bug I work extra to attach a fix in the same issue. Google should do the same.

> Google found a bug

That does not impact their business or their operations in any way whatsoever.

> If it's a valid bug then it's a valid bug end of story.

This isn't a binary. It's why CVEs have a whole sordid scoring system to go along with them.

> Software owes it to its users to be secure

ffmpeg owes me nothing. I haven't paid them a dime.

> That does not impact their business or their operations in any way whatsoever.

I don't know what tools and backends they use exactly, but working purely by statistics, I'm sure some place in Google's massive cloud compute empire is relying on ffmpeg to process data from the internet.

> ffmpeg owes me nothing. I haven't paid them a dime.

That is true. At the same time Google also does not owe the ffmpeg devs anything either. It applies both ways. The whole "pay us or we won't fix this" makes no sense.

And they're processing old LucasArts codec videos with it? Which is the specific bug report in question.

> Google also does not owe the ffmpeg devs anything either.

Then they can stop reporting bugs with their assinine one size fits all "policy." It's unwelcome and unnecessary.

> It applies both ways.

The difference is I do not presume things upon the ffmpeg developers. I just use their software.

> The whole "pay us or we won't fix this" makes no sense.

Pay us or stop reporting obscure bugs in unused codecs found using "AI" scanning, or at least, if you do, then change your disclosure policy for those "bugs." That's the actual argument and is far more reasonable.

I for one welcome it. I want to know if there are some vulnerabilities in the software I use.

It doesn’t matter if it affects their business or not. They found an issue and they reported it. Ffmpeg could request that they report it privately perhaps. Google has a moral duty to report the bug.

Software should be correct and secure. Of course this can’t always be the case but it’s what we should strive for. I think that’s baseline

Why is there an onus on Google to fix this? Bug bounty hunters aren’t required to submit a patch even when the target is open source.

Now should Google? Probably, it would be nice but no one has to. The gift from Google is the discovery of the bug.

> Software owes it to its users to be secure.

There is no such obligation.

There is no warranty and software is provided AS-IS explicitly by the license.

I disagree, as software engineers we owe it to the craft to create correct software especially when we intend to distribute. Anything less is poor taste.

You bring up licensing. I’m not talking about legally I’m talking about a social contract.

It's unlikely the specific codec that is the issue but the bug report suggests that the code path could be hit by a maliciously crafted payload since ffmpeg does file fuzzing. They almost certainly have ffmpeg stuff that touches user submitted videos.

> Then they can stop reporting bugs with their asinine one size fits all "policy." It's unwelcome and unnecessary.

Right, they should just post the 0days on their blog.

They're probably not manually selecting which codecs and codec parameters to accept and sticking to the default ones instead.

Plus, this bug was reported by AI, so it was as much a proof of concept/experiment/demonstration of their AI security scanner as it was an attempt to help secure ffmpeg

The choice of license is also a a partial descriptor of the social contract. If I wanted to work on it for “customers” I would sell it. I don’t owe you anything otherwise.

The social contract is “here is something I’ve worked on for free, and it is a gift. Take it or leave it.”

You want me to work on something for it? FYPM

For GP's sake, even before you make it to FYPM levels of angry, you will be in over your head. It's too much work. I remember being very early in my career and feeling like GP does. This is very easily more than a full-time job. The demands people will make of you and the attitudes they will use to do it will make you crazy.