FFmpeg to Google: Fund us or stop sending bugs

Not too fond of maintainers getting too uppity about this stuff. I get that it can be frustrating to receive bug report after bug report from people who are unwilling or unable to contribute to the code base, or at the very least to donate to the team.

But the way I see it, a bug report is a bug report, no matter how small or big the bug or the team, it should be addressed.

I don’t know, I’m not exactly a pillar of the FOSS community with weight behind my words.

When you already work 40+ hours a week and big companies suddenly start an AI snowblower that shoots a dozen extra hours of work every week at you without doing anything to balance that (like, for instance, also opening PRs with patches that fix the bugs), the relationship starts feeling like being an unpaid employee of their project.

What's the point of just showering these things with bug reports when the same tool (or a similar one) can also apparently fix the problem too?

The problem with security reports in general is security people are rampant self-promoters. (Linus once called them something worse.)

Imagine you're a humble volunteer OSS developer. If a security researcher finds a bug in your code they're going to make up a cute name for it, start a website with a logo, Google is going to give them a million dollar bounty, they're going to go to Defcon and get a prize and I assume go to some kind of secret security people orgy where everyone is dressed like they're in The Matrix.

Nobody is going to do any of this for you when you fix it.