FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)

1125 points CrankyBear | 4 comments | 11 Nov 25 18:32 UTC | HN request time: 0.001s | source

Show context

pjmlp ◴[11 Nov 25 19:43 UTC] No.45891849[source]▶

Fully on FFmpeg team side, many companies approach to FOSS is only doing so when it sounds good on their marketing karma, leech otherwise.

Most of them would just pirate in the old days, and most FOSS licences give them clear conscience to behave as always.

replies(2): >>45892276 #>>45892516 #

iscoelho ◴[11 Nov 25 20:39 UTC] No.45892516[source]▶

>>45891849 #

Google is, at no cost to FFMPEG:

1) dedicating compute resources to continuously fuzzing the entire project

2) dedicating engineering resources to validating the results and creating accurate and well-informed bug reports (in this case, a seriously underestimated security issue)

3) additionally for codecs that Google likely does not even internally use or compile, purely for the greater good of FFMPEG's user base

Needless to say, while I agree Google has a penny to spare to fund FFMPEG, and should (although they already contribute), I do not agree with funding this maintainer.

replies(3): >>45892589 #>>45892848 #>>45895277 #

1. FridgeSeal ◴[11 Nov 25 21:06 UTC] No.45892848[source]▶

>>45892516 #

Google is:

- choosing to do this of their own volition

- are effectively just using their resources to throw bug reports over the wall unprompted.

- benefiting from the bugs getting fixed, but not contributing to them.

replies(3): >>45893888 #>>45895430 #>>45896037 #

2. toast0 ◴[11 Nov 25 22:41 UTC] No.45893888[source]▶

>>45892848 (TP) #

> - benefiting from the bugs getting fixed, but not contributing to them.

I would be very surprised if Google builds this codec when they build ffmpeg. If you run a/v codecs (like ffmpeg) in bulk, the first thing to do is sandbox the hell out of it. The second thing you do is strictly limit the containers and codecs you'll decode. Not very many people need to decode movies from old LucasArts games, for video codecs, you probably only want mpeg 1-4, h.26x, vp8, vp9, av1. And you'll want to have fuzzed those decoders as best you can too.

Nobody should be surprised that there's a security problem in this ancient decoder. Many of the eclectic codecs were written to mimic how the decoders that shipped with content were written, and most of those codecs were written assuming they were decoding a known good file, because why wouldn't they be. There's no shame, that's just how it is... there's too much to proactively investigate, so someone doing fuzzing and writing excellent reports that include diagnosis, specific location of the errors, and a way to reproduce are providing a valuable contribution.

Could they contribute more? Sure. But even if they don't, they've contributed something of value. If the maintainers can't or don't want to address it, that'd be reasonable too.

3. iscoelho ◴[12 Nov 25 01:41 UTC] No.45895430[source]▶

>>45892848 (TP) #

Google is a contributor to FFMPEG.

4. rossjudson ◴[12 Nov 25 03:16 UTC] No.45896037[source]▶

>>45892848 (TP) #

FFmpeg and a thousand fixes:

https://j00ru.vexillium.org/2014/01/ffmpeg-and-the-tale-of-a...

"While reading about the 4xm demuxer vulnerability, we thought that we could help FFmpeg eliminate many potential low-hanging problems from the code by making use of the Google fleet and fuzzing infrastructure we already had in place"

↑