←back to thread

FFmpeg to Google: Fund us or stop sending bugs

(thenewstack.io)
1124 points CrankyBear | 2 comments | 11 Nov 25 18:32 UTC | HN request time: 0.494s | source
Show context
theoldgreybeard ◴[11 Nov 25 19:50 UTC] No.45891941[source]
The vulnerability in question is a Use After Free. Google used AI to find this bug, it would've taken them 3 seconds to fix it.

Burning cash to generate spam bug reports to burden volunteer projects when you have the extra cash to burn to just fix the damn issue leaves a very sour taste in my mouth.

replies(4): >>45892004 #>>45892129 #>>45892230 #>>45895702 #
tpmoney ◴[12 Nov 25 02:22 UTC] No.45895702[source]
If it takes 3 seconds to fix it, then how is this some massive burden on the maintainers? The bug report pointed to the relevant lines, the maintainers are the most familiar with the code and it probably would have taken them 1.5 seconds to not only fix it, but validate the fix. It probably took more time to write up the complaint about the bugs than to implement the fix.
replies(2): >>45900512 #>>45901191 #
1. PapstJL4U ◴[12 Nov 25 14:19 UTC] No.45900512[source]
It takes more time to read and understand the bug report, than to fix it. Instead of using googles time, they used ffmpegs voluntary time.

If this happens another 1000 times (easily possible with AI) google just got free labour and free publicity for "discovering 1000 critical bugs (but not fixing them even so they were easy to do)"

replies(1): >>45908056 #
2. tpmoney ◴[12 Nov 25 22:55 UTC] No.45908056[source]
It takes even more time to read and understand a patch. Not only to you have to do all of the work of reading and understanding the bug report for which the patch is relevant, but you now also have to read and understand the submitted code, which until just this moment you didn't even know was necessary and have no specific context for. Then you have to validate whether or not the code in the patch is sufficient to fix the issue or whether those changes have any additional knock on effects. Yes, you could hope that the Google coders did this, but since you already have such a low opinion of Google's efforts and behavior on this front, I would argue that trusting their submission without validation would be insane.

Then if there's any changes or additional work to be done, you now have to spend time communicating with the patch sumbmitter, either getting them to make the requested changes, or rejecting their patch outright and writing it on your own.

And after all that we'd be right back here, only instead of the complain being "we don't have enough time to review all your bug reports" it would be "we don't have enough time to review all your PRs"