←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1125 points CrankyBear | 5 comments | 11 Nov 25 18:32 UTC | HN request time: 0.717s | source
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
samus ◴[12 Nov 25 07:33 UTC] No.45897316[source]
So what is Google gonna do if security fixes don't happen in time and the project takes a "reputational hit"? Fork it and maintain it themselves? Why not send in patches instead?

Maintaining a reputation might be enough reward for you, but not everyone is happy to work for free for a billion dollars corporation breathing down their necks. It's puzzling to me why people keep defending their free lunch.

replies(1): >>45898408 #
surajrmal ◴[12 Nov 25 10:12 UTC] No.45898408[source]
If ffmpeg maintainers cannot keep up, downstream customers should know so they can help.
replies(1): >>45898437 #
1. kierank ◴[12 Nov 25 10:17 UTC] No.45898437[source]
FFmpeg is developed almost entirely by volunteers. We have no "customers".
replies(2): >>45899458 #>>45900395 #
2. seb1204 ◴[12 Nov 25 12:43 UTC] No.45899458[source]
Why complain about pressure from customers then?
3. surajrmal ◴[12 Nov 25 14:09 UTC] No.45900395[source]
There are people who use and depend on ffmpeg. Maintainers seem to go out of their way to solve issues these folks face. If you don't care, then ignore the bug reports and force them to solve their own problems by contributing.
replies(2): >>45900426 #>>45901187 #
4. kierank ◴[12 Nov 25 14:12 UTC] No.45900426[source]
Then you and your security friends will create lots of FUD about FFmpeg being "insecure" with lots of red and the word "critical" everywhere.
5. samus ◴[12 Nov 25 15:11 UTC] No.45901187[source]
These people are not customers though. The maintainers do their best, but overall the project seems to be understaffed though, so customers (for example Google, as it seems they occasionally chip in) get priority.