←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0.218s | source
Show context
woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #
ryandrake ◴[11 Nov 25 19:58 UTC] No.45892032[source]
> But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it

I think this is the heart of the issue and it boils off all of the unimportant details.

If it's a real, serious issue, you want to know about it and you want to fix it. Regardless of who reports it.

If it's a real, but unimportant issue, you probably at least want to track it, but aren't worried about disclosure. Regardless of who reports it.

If it's invalid, or AI slop, you probably just want to close/ignore it. Regardless of who reports it.

It seems entirely irrelevant who is reporting these issues. As a software project, ultimately you make the judgment call about what bugs you fix and what ones you don't.

replies(1): >>45892816 #
vacuity ◴[11 Nov 25 21:04 UTC] No.45892816[source]
But if it's a real, serious issue without an easy resolution, who is the burden on? It's not that the maintainers wouldn't fix bugs if they easily could. FFmpeg is provided "as is"[0], so everyone should be responsible for their side of things. It's not like the maintainers dumped their software on every computer and forced people to use it. Google should be responsible for their own security. I'm not adamant that Google should share the patch with others, but it would hardly be an imposition to Google if they did. And yes, I really do intend that you could replace Google with any party, big or small, commercial or noncommercial. It's painful, but no one has any inherent obligations to provide others with software in most circumstances.

[0] More or less. It seems the actual language is shied from. Is there a meaningful difference?

replies(2): >>45893319 #>>45895167 #
ryandrake ◴[11 Nov 25 21:46 UTC] No.45893319[source]
Well, it's open source and built by volunteers, so nobody is obligated to fix it. If FFmpeg volunteers don't want to fix it or don't have the time/bandwidth to fix it, then they won't fix it. Like any other bug or CVE in any other open source project. The burden doesn't necessarily need to be on anyone.
replies(1): >>45893540 #
lenerdenator ◴[11 Nov 25 22:06 UTC] No.45893540[source]
They aren't obligated to fix CVEs until they're exploited, and then, suddenly, they very much were obligated to fix the CVEs, and their image as FLOSS maintainers and as a project are very much tarnished.
replies(2): >>45894619 #>>45895878 #
nightshift1 ◴[12 Nov 25 00:03 UTC] No.45894619[source]
I don't think anyone can force them to fix cve. Software is provided as-is. Can't be more straightforward as that.
replies(1): >>45895641 #
vacuity ◴[12 Nov 25 02:12 UTC] No.45895641[source]
This is technically true, but not plausible in the social sense.
replies(1): >>45899532 #
1. seb1204 ◴[12 Nov 25 12:52 UTC] No.45899532[source]
Why not. I can't force you to do your volunteering work.