←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.199s | source
Show context
ChrisMarshallNY ◴[11 Nov 25 20:33 UTC] No.45892464[source]
Looks like this was a security issue.

I don't consider a security issue to be a "standard bug." I need to look at it, and [maybe] fix it, regardless of who reported it.

But in my projects, I have gotten requests (sometimes, demands) that I change things like the published API (a general-purpose API), to optimize some niche functionality for one user.

I'll usually politely decline these, and respond with an explanation as to why, along with suggestions for them to add it, after the fact.

replies(1): >>45892555 #
cestith ◴[11 Nov 25 20:43 UTC] No.45892555[source]
It’s a security issue for a stream type almost nobody uses. It’s a little like saying your graphics program in 2025 is exploitable by a malformed PCX file, or your music player has a security bug only when playing an Impulse Tracker module.

Sure, triage it. It shouldn’t be publicly disclosed within a week of the report though, because the fix is still a relatively low priority.

replies(2): >>45892639 #>>45893307 #
1. gowld ◴[11 Nov 25 21:45 UTC] No.45893307[source]
If no one uses the stream type, then not fixing the bug won't hurt.

The people who do use the stream type are at risk, and have been at risk all along. They need to stop using the stream type, or get the bug fixed, or triage the but as not exploitable.