Most active commenters
  • HDThoreaun(5)
  • saagarjha(3)

←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 11 comments | 11 Nov 25 18:32 UTC | HN request time: 0.009s | source | bottom
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
Msurrow ◴[11 Nov 25 19:22 UTC] No.45891613[source]
My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

replies(5): >>45891699 #>>45891755 #>>45891844 #>>45893088 #>>45898343 #
jsnell ◴[11 Nov 25 19:42 UTC] No.45891844[source]
> My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

That is not an accurate description? Project Zero was using a 90 day disclosure policy from the start, so for over a decade.

What changed[0] in 2025 is that they disclose earlier than 90 days that there is an issue, but not what the issue is. And actually, from [1] it does not look like that trial policy was applied to ffmpeg.

> To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

You clearly know that no actual demands or even requests for a fix were made, hence the scare quotes. But given you know it, why call it a "demand"?

[0] https://googleprojectzero.blogspot.com/2025/07/reporting-tra..., discussed at https://news.ycombinator.com/item?id=44724287

[1] https://googleprojectzero.blogspot.com/p/reporting-transpare...

replies(3): >>45892863 #>>45893014 #>>45894463 #
HDThoreaun ◴[11 Nov 25 23:45 UTC] No.45894463[source]
Publishing the vulnerability is a demand to fix it. It threatens to cause harm to the reputation of the maintainer if left unfixed.
replies(1): >>45894785 #
ikiris ◴[12 Nov 25 00:22 UTC] No.45894785[source]
No, publishing the vulnerability is the right thing to do for a secure world because anyone can find this stuff including nation states that weaponize it. This is a public service. Giving the dev a 90 day pre warn is a courtesy.

Expecting a reporter to fix your security vulnerabilities for you is entitlement.

If your reputation is harmed by your vulnerable software, then fix the bugs. They didn’t create the hazzard they discovered it. You created it, and acting like you’re entitled to the free labor of those that gave you the heads up is insane, and trying to extort them for their labor is even worse.

replies(1): >>45895156 #
1. HDThoreaun ◴[12 Nov 25 01:01 UTC] No.45895156{3}[source]
This is all true(maybe not the extortion being worse hard to say), but it doesnt change the fact that publishing the CVE is a demand to fix it.
replies(3): >>45895837 #>>45896003 #>>45898211 #
2. saagarjha ◴[12 Nov 25 02:41 UTC] No.45895837[source]
No, it is a request to fix it. How the maintainer feels about it is up to them.
replies(1): >>45896089 #
3. ikiris ◴[12 Nov 25 03:07 UTC] No.45896003[source]
No, it is a notice to others that your software as-is is insecure in some way. The pre notice is again a courtesy if you want to fix it.

What you do with the notice as a dev is up to you, but responsible ones would fix it without throwing a tantrum.

Devs need to stop thinking of themselves as the main character and things get a lot more reasonable.

4. HDThoreaun ◴[12 Nov 25 03:25 UTC] No.45896089[source]
A request to fix it would be privately telling the maintainers about the issue. Publicly releasing it is a demand.
replies(1): >>45896476 #
5. saagarjha ◴[12 Nov 25 04:51 UTC] No.45896476{3}[source]
This is not how filing issues against open source software works.
replies(1): >>45896732 #
6. HDThoreaun ◴[12 Nov 25 05:43 UTC] No.45896732{4}[source]
You dont get to decide that lmao. Telling everyone this project doesnt care about security if they ignore my CVE is obviously a demand and your traditions can not change that
replies(2): >>45898344 #>>45898428 #
7. walletdrainer ◴[12 Nov 25 09:42 UTC] No.45898211[source]
CVE!=vulnerability

These two terms are not interchangeable.

Most vulnerabilities never have CVEs issued.

8. Dylan16807 ◴[12 Nov 25 10:04 UTC] No.45898344{5}[source]
> Telling everyone this project doesnt care about security

Google did nothing like this.

If people infer that a hypothetical project doesn't care about security because they didn't fix anything, then they're right. It's not google's fault they're factually bad at security. Making someone look bad is not always a bad action.

Drawing attention to that decision by publicly reporting a bug is not a demand for what the decision will be. I could imagine malicious attention-getting but a bug report isn't it.

replies(1): >>45903096 #
9. saagarjha ◴[12 Nov 25 10:15 UTC] No.45898428{5}[source]
If the FFmpeg team does not want people to file bug reports, then they should close their public issue tracker. This is not something that I decided but a choice that they made.
10. HDThoreaun ◴[12 Nov 25 17:38 UTC] No.45903096{6}[source]
Bullshit. That is exactly what google is doing. Demands aren’t necessarily malicious, but they’re certainly annoying for the person being demanded.
replies(1): >>45903788 #
11. Dylan16807 ◴[12 Nov 25 18:23 UTC] No.45903788{7}[source]
If merely publishing a bug they found, and doing nothing else, would qualify by your definition as "telling everyone this project doesn't care about security", then there is absolutely nothing wrong with doing that "telling".