FFmpeg to Google: Fund us or stop sending bugs

Fully on FFmpeg team side, many companies approach to FOSS is only doing so when it sounds good on their marketing karma, leech otherwise.

Most of them would just pirate in the old days, and most FOSS licences give them clear conscience to behave as always.

Google is, at no cost to FFMPEG:

1) dedicating compute resources to continuously fuzzing the entire project

2) dedicating engineering resources to validating the results and creating accurate and well-informed bug reports (in this case, a seriously underestimated security issue)

3) additionally for codecs that Google likely does not even internally use or compile, purely for the greater good of FFMPEG's user base

Needless to say, while I agree Google has a penny to spare to fund FFMPEG, and should (although they already contribute), I do not agree with funding this maintainer.

Then they can surely also provide a pull request for said CVE.

They could, but there is really no requirement on them to do so. The security flaw was discovered by Google, but it was not created by them.

Equally there is no requirement on ffmpeg to fix these CVEs nor any other.

And, of course, there is no requirement on end-users to run software from projects which do not consider untrusted-input-validation bugs to be high priority.

> They could, but there is really no requirement on them to do so.

I see this sort of sentiment daily. The sentiment that only what is strictly legal or required is what matters.

Sometimes, you know, you have to recognise that there are social norms and being a good person matters and has intrinsic value. A society only governed by what the written law of the land explicitly states is a dystopia worse than hell.