FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)

1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

woodruffw ◴[11 Nov 25 19:16 UTC] No.45891521[source]▶

I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.

replies(13): >>45891613 #>>45891749 #>>45891930 #>>45892032 #>>45892263 #>>45892941 #>>45892989 #>>45894805 #>>45896179 #>>45897077 #>>45897316 #>>45898926 #>>45900786 #

jitbit ◴[12 Nov 25 11:38 UTC] No.45898926[source]▶

>>45891521 #

True - if we're talking about actual security bugs, not the "CVE slop"

P.S. I'm an open source maintainer myself, and I used to think, "oh, OSS developers should just stop whining and fix stuff." Fast forward a few years, and now I'm buried under false-positive "reports" and overwhelmed by non-coding work (deleting issue spam, triage, etc.)

P.P.S. What's worse, when your library is a security component the pressure’s even higher - one misplaced loc could break thousands of apps (we literally have a million downloads at nuget [1] )

[1]: https://www.nuget.org/packages/AspNetSaml

replies(1): >>45899542 #

1. seb1204 ◴[12 Nov 25 12:53 UTC] No.45899542[source]▶

>>45898926 #

Please speak openly about that on your dev page Manage expectations.

↑