←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.208s | source
Show context
halapro ◴[12 Nov 25 07:06 UTC] No.45897162[source]
So what if ffmpeg has open CVEs? What is Google going to do? Swap it? Leave them open, let Google ship products with CVE'd dependencies, and then they'll be forced to act.

Why would Google act if they got smart guys working for them for free? Stop fixing Google-reported bugs.

replies(1): >>45897445 #
1. magicalhippo ◴[12 Nov 25 07:54 UTC] No.45897445[source]
> So what if ffmpeg has open CVEs?

Part of the issue is that FFmpeg is almost a meta-project. It contains so many possible optional dependencies. Which is great for features, nit so great if you quickly want to know if you're exposed to the latest CVE.