Most active commenters
  • Y-bar(4)

←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 11 comments | 11 Nov 25 18:32 UTC | HN request time: 0.001s | source | bottom
Show context
pjmlp ◴[11 Nov 25 19:43 UTC] No.45891849[source]
Fully on FFmpeg team side, many companies approach to FOSS is only doing so when it sounds good on their marketing karma, leech otherwise.

Most of them would just pirate in the old days, and most FOSS licences give them clear conscience to behave as always.

replies(2): >>45892276 #>>45892516 #
iscoelho ◴[11 Nov 25 20:39 UTC] No.45892516[source]
Google is, at no cost to FFMPEG:

1) dedicating compute resources to continuously fuzzing the entire project

2) dedicating engineering resources to validating the results and creating accurate and well-informed bug reports (in this case, a seriously underestimated security issue)

3) additionally for codecs that Google likely does not even internally use or compile, purely for the greater good of FFMPEG's user base

Needless to say, while I agree Google has a penny to spare to fund FFMPEG, and should (although they already contribute), I do not agree with funding this maintainer.

replies(3): >>45892589 #>>45892848 #>>45895277 #
pjmlp ◴[11 Nov 25 20:47 UTC] No.45892589[source]
Then they can surely also provide a pull request for said CVE.
replies(2): >>45892622 #>>45893197 #
gnfargbl ◴[11 Nov 25 21:34 UTC] No.45893197[source]
They could, but there is really no requirement on them to do so. The security flaw was discovered by Google, but it was not created by them.

Equally there is no requirement on ffmpeg to fix these CVEs nor any other.

And, of course, there is no requirement on end-users to run software from projects which do not consider untrusted-input-validation bugs to be high priority.

replies(2): >>45893464 #>>45894491 #
1. Y-bar ◴[11 Nov 25 23:48 UTC] No.45894491[source]
> They could, but there is really no requirement on them to do so.

I see this sort of sentiment daily. The sentiment that only what is strictly legal or required is what matters.

Sometimes, you know, you have to recognise that there are social norms and being a good person matters and has intrinsic value. A society only governed by what the written law of the land explicitly states is a dystopia worse than hell.

replies(3): >>45895220 #>>45897112 #>>45898268 #
2. tpmoney ◴[12 Nov 25 01:09 UTC] No.45895220[source]
What's "strictly legal or required" of Google here is absolutely nothing. They didn't have to do any auditing or bug hunting. They certainly didn't have to validate or create a proper bug report, and there's no requirement whatsoever that they tell anyone about it at all. They could have found the bug, found it was being actively exploited, made their own internal patch and sat quietly by while other people remained vulnerable. All of that is well within what is "strictly legal or required".

Google did more than what is "strictly legal or required", and what they did was submit a good and valid bug report. But for some reason we're mad because they didn't do even more. Why? The world is objectively a better place for having this bug report, at least now people know there's something to address.

replies(1): >>45895780 #
3. orangecat ◴[12 Nov 25 02:34 UTC] No.45895780[source]
Google did more than what is "strictly legal or required", and what they did was submit a good and valid bug report. But for some reason we're mad because they didn't do even more. Why?

The Copenhagen Interpetation of Ethics is annoyingly prevalent (https://forum.effectivealtruism.org/posts/QXpxioWSQcNuNnNTy/...)

replies(1): >>45899570 #
4. bfkwlfkjf ◴[12 Nov 25 06:56 UTC] No.45897112[source]
Justice is more than just following laws.
5. gnfargbl ◴[12 Nov 25 09:52 UTC] No.45898268[source]
You're correct, but it's the social norms -- or at least, the norms as I perceive them -- that I am talking about here.

If you find yourself with potentially serious security bugs in your repo, then the social norm should be for you to take ownership of that because, well, it's your repo.

The socially unacceptable activity here should be treating security issues as an irritation, or a problem outside your control. If you're a maintainer, and you find yourself overwhelmed by genuine CVE reports, then it might be worth reflecting on the root cause of that. What ffmpeg did here was to shoot the messenger, which is non-normative.

replies(1): >>45899546 #
6. Y-bar ◴[12 Nov 25 12:53 UTC] No.45899546[source]
It seems to me that they are not treating the security issue as an irritation, but instead the manner at which it was presented to them that is the problem.
replies(1): >>45903964 #
7. Y-bar ◴[12 Nov 25 12:56 UTC] No.45899570{3}[source]
"I noticed your window was broken, so I took the liberty of helping you, working for free, by posting a sign that says UNLOCKED WINDOW HERE with exact details on how it was broken. I did lots of gratis work for you which you do not need to do yourself now. The world is safer now. Why are you not grateful?"
replies(2): >>45899865 #>>45900526 #
8. ◴[12 Nov 25 13:28 UTC] No.45899865{4}[source]
9. tpmoney ◴[12 Nov 25 14:20 UTC] No.45900526{4}[source]
I mean if we’re going to do sloppy analogies, a bug report for open source software as widely used as ffmpeg is more like “I noticed the trees in the back corner of your free apple orchard are producing apples with trace amounts of heavy metals. I did some literal digging and sent some soil off to the labs and it looks like your back corner field may be contaminated. Here’s a heads up about that, and also just FYI in 90 days, if you haven’t been able to get your soil remediated, I’m going to put up a sign so that people can know to avoid those apples and not get poisoned by your free orchard while it’s getting fixed.”
replies(1): >>45900684 #
10. Y-bar ◴[12 Nov 25 14:32 UTC] No.45900684{5}[source]
Yes, this is a good illustration why The Copenhagen Interpretation of Ethics makes sense when Ffmpeg is allowed to criticise the manner of actions of Google.
11. Dylan16807 ◴[12 Nov 25 18:34 UTC] No.45903964{3}[source]
What about the presentation was wrong? What is the correct presentation for a pure bug report?