FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)

1125 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

vsgherzi ◴[11 Nov 25 20:24 UTC] No.45892348[source]▶

I understand ffmpeg being angry at the workload but this is how it is with large open source projects. Ffmpeg has no obligation to fix any of this. Open source is a gift and is provided as is. If Google demanded a fix I could see this being an issue. As it is right now it just seems like a bad look. If they wanted compensation then they should change the model, there's nothing wrong with that. Google found a bug, they reported it. If it's a valid bug then it's a valid bug end of story. Software owes it to its users to be secure, but again it's up to the maintainers if they also believe that. Maybe this pushes Google to make an alternative, which I'd be excited for.

replies(4): >>45892463 #>>45892522 #>>45892581 #>>45895390 #

otherme123 ◴[11 Nov 25 20:33 UTC] No.45892463[source]▶

>>45892348 #

>Ffmpeg has no obligation to fix any of this

I read this as nobody wants CVEs open on their product, so you might feel forced to fix them. I find it more understandable if we talk about web frameworks: Wordpress don't want security CVEs open for months or years, or users would be upset they introduce new features while neglecting safety.

I am a nobody, and whenever I found a bug I work extra to attach a fix in the same issue. Google should do the same.

replies(1): >>45895039 #

1. vsgherzi ◴[12 Nov 25 00:49 UTC] No.45895039[source]▶

>>45892463 #

Why is there an onus on Google to fix this? Bug bounty hunters aren’t required to submit a patch even when the target is open source.

Now should Google? Probably, it would be nice but no one has to. The gift from Google is the discovery of the bug.

↑