←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source
Show context
JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]
I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.
replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #
Msurrow ◴[11 Nov 25 19:17 UTC] No.45891546[source]
In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days. The security issue should certainly be disclosed - when its responsible to do so.

Now, if Google or whoever really feels like fixing fast is so important, then they could very well contribute by submitting a patch along with their issue report.

Then everybody wins.

replies(3): >>45891625 #>>45891932 #>>45895660 #
danlitt ◴[11 Nov 25 19:22 UTC] No.45891625[source]
> it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days

This is very far from obvious. If google doesn't feel like prioritising a critical issue, it remains irresponsible not to warn other users of the same library.

replies(3): >>45891667 #>>45891696 #>>45892044 #
Msurrow ◴[11 Nov 25 19:25 UTC] No.45891667[source]
If that’s the case why give the OSS project any time to fix at all before public disclosure? They should just publish immediately, no? Warn other users asap.
replies(3): >>45892856 #>>45894143 #>>45895946 #
1. saagarjha ◴[12 Nov 25 02:59 UTC] No.45895946[source]
Because it gives maintainers a chance to fix the issue, which they’ll do if they feel it is a priority. Google does not decide your priorities for you, they just give you an option to make their report a priority if you so choose.