(thenewstack.io)

1125 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.207s | source

Show context

woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]▶

I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.

replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #

Msurrow ◴[11 Nov 25 19:22 UTC] No.45891613[source]▶

>>45891521 #

My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

replies(5): >>45891699 #>>45891755 #>>45891844 #>>45893088 #>>45898343 #

1. Too ◴[11 Nov 25 21:24 UTC] No.45893088[source]▶

>>45891613 #

Nobody is demanding anything. Google is just disclosing issues.

This opens up transparency of ffmpeg’s security posture, giving others the chance to fix it themselves, isolate where it’s run or build on entirely new foundations.

All this assuming the reports are in fact pointing to true security issues. Not talking about AI-slop reports.

↑

FFmpeg to Google: Fund us or stop sending bugs