860
FFmpeg to Google: Fund Us or Stop Sending Bugs
(thenewstack.io)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 11 Nov 2025
860 points (99.4% liked)
Open Source
43984 readers
560 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 6 years ago
MODERATORS
I mean, bugs are bugs. It's not like Google makes them they are there. It's up to ffmpeg to decide if they shoul care or not
But in general I think companies who rely on opensource need to contribute more.
No but there are big bugs and small bugs and it sound like Google's AI bug finder is flooding them with small bugs that don't effect the security or end product so much. But some unpaid volunteer from FFMpeg has to check them all out regardless. And Google getting pissy about it doesn't help.
The bug in this case was a vulnerability in 1995's rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Okay so, the same industry that is trying to kill video games is now worried that a game from 30 years ago nobody ever heard of has a bug?
Google needs to go back to taking their meds.
Yes, but still a bug. Ffmpeg could just have said "OK. We not gonna patch that "
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we're not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, "don't use FFmpeg for this use case or you'll be hacked," would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?
Sounds like a prioritization issue. They could configure the git bots to automatically flags all these as "AI-reported" and filter them out from their TODO, considering them low priority by default, unless/until someone starts commenting on the ticket and bringing it up to their attention / legitimizing it.
EDIT: ok, I just read about the 90-days policy... I feel then the problem is not the reporting, but the further actions Google plans based on an automated tool that seems to be inadequate to judge the severity of each issue.