←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 3 comments | 11 Nov 25 18:32 UTC | HN request time: 0.66s | source
Show context
vsgherzi ◴[11 Nov 25 20:24 UTC] No.45892348[source]
I understand ffmpeg being angry at the workload but this is how it is with large open source projects. Ffmpeg has no obligation to fix any of this. Open source is a gift and is provided as is. If Google demanded a fix I could see this being an issue. As it is right now it just seems like a bad look. If they wanted compensation then they should change the model, there's nothing wrong with that. Google found a bug, they reported it. If it's a valid bug then it's a valid bug end of story. Software owes it to its users to be secure, but again it's up to the maintainers if they also believe that. Maybe this pushes Google to make an alternative, which I'd be excited for.
replies(4): >>45892463 #>>45892522 #>>45892581 #>>45895390 #
themafia ◴[11 Nov 25 20:40 UTC] No.45892522[source]
> Google found a bug

That does not impact their business or their operations in any way whatsoever.

> If it's a valid bug then it's a valid bug end of story.

This isn't a binary. It's why CVEs have a whole sordid scoring system to go along with them.

> Software owes it to its users to be secure

ffmpeg owes me nothing. I haven't paid them a dime.

replies(3): >>45892654 #>>45892702 #>>45895021 #
jeroenhd ◴[11 Nov 25 20:51 UTC] No.45892654[source]
> That does not impact their business or their operations in any way whatsoever.

I don't know what tools and backends they use exactly, but working purely by statistics, I'm sure some place in Google's massive cloud compute empire is relying on ffmpeg to process data from the internet.

replies(1): >>45892880 #
1. themafia ◴[11 Nov 25 21:08 UTC] No.45892880[source]
And they're processing old LucasArts codec videos with it? Which is the specific bug report in question.
replies(2): >>45896141 #>>45897582 #
2. inkysigma ◴[12 Nov 25 03:37 UTC] No.45896141[source]
It's unlikely the specific codec that is the issue but the bug report suggests that the code path could be hit by a maliciously crafted payload since ffmpeg does file fuzzing. They almost certainly have ffmpeg stuff that touches user submitted videos.
3. jeroenhd ◴[12 Nov 25 08:13 UTC] No.45897582[source]
They're probably not manually selecting which codecs and codec parameters to accept and sticking to the default ones instead.

Plus, this bug was reported by AI, so it was as much a proof of concept/experiment/demonstration of their AI security scanner as it was an attempt to help secure ffmpeg