FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)

1125 points CrankyBear | 2 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]▶

I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.

replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #

Msurrow ◴[11 Nov 25 19:22 UTC] No.45891613[source]▶

>>45891521 #

My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

replies(5): >>45891699 #>>45891755 #>>45891844 #>>45893088 #>>45898343 #

jsnell ◴[11 Nov 25 19:42 UTC] No.45891844[source]▶

>>45891613 #

> My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

That is not an accurate description? Project Zero was using a 90 day disclosure policy from the start, so for over a decade.

What changed[0] in 2025 is that they disclose earlier than 90 days that there is an issue, but not what the issue is. And actually, from [1] it does not look like that trial policy was applied to ffmpeg.

> To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

You clearly know that no actual demands or even requests for a fix were made, hence the scare quotes. But given you know it, why call it a "demand"?

[0] https://googleprojectzero.blogspot.com/2025/07/reporting-tra..., discussed at https://news.ycombinator.com/item?id=44724287

[1] https://googleprojectzero.blogspot.com/p/reporting-transpare...

replies(3): >>45892863 #>>45893014 #>>45894463 #

1. joemi ◴[11 Nov 25 21:07 UTC] No.45892863{3}[source]▶

>>45891844 #

The fact that details of the issue _will_ be disclosed publicly is an implicit threat. Sure it's not an explicit threat, but it's definitely an implicit threat. So the demand, too, is implicit: fix this before we disclose publicly, or else your vulnerability will be public knowledge.

replies(1): >>45895826 #

2. saagarjha ◴[12 Nov 25 02:40 UTC] No.45895826[source]▶

>>45892863 (TP) #

You should not be threatened by the fact that your software has security holes in it being made public knowledge. If you are, then your goals are fundamentally misaligned with making secure software.

↑