←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 4 comments | 11 Nov 25 18:32 UTC | HN request time: 1.005s | source
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
AbrahamParangi ◴[11 Nov 25 19:50 UTC] No.45891930[source]
If google bears no role in fixing the issues it finds and nobody else is being paid to do it either, it functionally is just providing free security vulnerability research for malicious actors because almost nobody can take over or switch off of ffmpeg.
replies(6): >>45892251 #>>45893043 #>>45893172 #>>45896030 #>>45899685 #>>45900110 #
Aurornis ◴[12 Nov 25 03:14 UTC] No.45896030[source]
This is a weird argument. Basically condoning security through obscurity: If nobody reports the bug then we just pretend it doesn’t exist, right?

There are many groups searching for security vulnerabilities in popular open source software who deliberately do not disclose them. They do this to save them for their own use or even to sell them to bad actors.

It’s starting to feel silly to demonize Google for doing security research at this point.

replies(1): >>45896830 #
KingMob ◴[12 Nov 25 06:02 UTC] No.45896830[source]
> It’s starting to feel silly to demonize Google for doing security research at this point.

Aren't most people here demonizing Google for dedicating the resources to find bugs, but not to fix them?

replies(1): >>45897529 #
1. watwut ◴[12 Nov 25 08:06 UTC] No.45897529[source]
And not giving the maintainners reasonable amount of time to fix. This was triggered by recent change of policy on google side.
replies(1): >>45898385 #
2. surajrmal ◴[12 Nov 25 10:09 UTC] No.45898385[source]
The timeline is industry standard at this point. The point is make sure folks take security more seriously. If you start deviating from the script, others will expect the same exceptions and it would lose that ability. Sometimes it's good to let something fail loudly to show this is a problem. If ffmpeg doesn't have enough maintainers, then they should fail and let downstream customers know so they have more pressure to contribute resources. Playing superman and trying to prevent them from seeing the problem will just lead to burn out.
replies(1): >>45898760 #
3. Orygin ◴[12 Nov 25 11:13 UTC] No.45898760[source]
Is it industry standard to run automatic AI tools and spam the upstream with bug reports? To then expect the bugs to be fixed within a 90 days is a bit much.

It's not some lone report of an important bug, it's AI spam that put forth security issues at a speed greater than they have resources to fix it.

replies(1): >>45899383 #
4. kllrnohj ◴[12 Nov 25 12:34 UTC] No.45899383{3}[source]
"AI tools" and "spam" are knee jerk reactions, not an accurate picture of the bug filed: https://issuetracker.google.com/issues/440183164?utm_source=...

whether or not AI found it, clearly a human refined it and produced a very high quality bug report. There's no AI slop here. No spam.