←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.001s | source
Show context
pjmlp ◴[11 Nov 25 19:43 UTC] No.45891849[source]
Fully on FFmpeg team side, many companies approach to FOSS is only doing so when it sounds good on their marketing karma, leech otherwise.

Most of them would just pirate in the old days, and most FOSS licences give them clear conscience to behave as always.

replies(2): >>45892276 #>>45892516 #
iscoelho ◴[11 Nov 25 20:39 UTC] No.45892516[source]
Google is, at no cost to FFMPEG:

1) dedicating compute resources to continuously fuzzing the entire project

2) dedicating engineering resources to validating the results and creating accurate and well-informed bug reports (in this case, a seriously underestimated security issue)

3) additionally for codecs that Google likely does not even internally use or compile, purely for the greater good of FFMPEG's user base

Needless to say, while I agree Google has a penny to spare to fund FFMPEG, and should (although they already contribute), I do not agree with funding this maintainer.

replies(3): >>45892589 #>>45892848 #>>45895277 #
pjmlp ◴[11 Nov 25 20:47 UTC] No.45892589[source]
Then they can surely also provide a pull request for said CVE.
replies(2): >>45892622 #>>45893197 #
SR2Z ◴[11 Nov 25 20:48 UTC] No.45892622[source]
Where do you draw the line? Do you want Google to just not inspect any projects that it can't fully commit to maintaining?

Providing a real CVE is a contribution, not a burden. The ffmpeg folks can ignore it, since by all indications it's pretty minor.

replies(4): >>45892822 #>>45892859 #>>45893344 #>>45893509 #
ahepp ◴[11 Nov 25 21:48 UTC] No.45893344[source]
What is the mission of Project Zero? Is it to build a vulnerability database, or is it to fix vulnerabilities?

If it's to fix vulnerabilities, it seems within reason to expect a patch. If the reason Google isn't sending a patch is because they truly think the maintainers can fix it better, then that seems fair. But if Google isn't sending a patch because fixing vulns "doesn't scale" then that's some pretty weak sauce.

Maybe part of the solution is creating a separate low priority queue for bug reports from groups that could fix it but chose not to.

replies(4): >>45893580 #>>45893694 #>>45895896 #>>45895942 #
f33d5173 ◴[11 Nov 25 22:21 UTC] No.45893694[source]
If you are deliberately shipping insecure software, you should stop doing that. In ffmpeg's case, that means either patching the bug, or disabling the codec. They refused to do the latter because they were proud of being able to support an obscure codec. That puts the onus on them to fix the bug in it.
replies(3): >>45894826 #>>45894948 #>>45895125 #
1. javier2 ◴[12 Nov 25 00:58 UTC] No.45895125[source]
Nah, ffmpeg volunteers dont owe you or Google anything. They are giving you free access to their open project.