FFmpeg To Google: Fund Us or Stop Sending Bugs (thenewstack.io)
- Reference: 0180049854
- News link: https://news.slashdot.org/story/25/11/11/1947215/ffmpeg-to-google-fund-us-or-stop-sending-bugs
- Source link: https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/
The confrontation centered on a Google Project Zero policy announced in July that publicly discloses reported vulnerabilities within a week and starts a ninety-day countdown to full disclosure regardless of patch availability. FFmpeg, written primarily in assembly language, handles format conversion and streaming for VLC, Kodi and Plex but operates without adequate funding from the corporations that depend on it. Nick Wellnhofer resigned as maintainer of libxml2, a library used in all major web browsers, because of the unsustainable workload of addressing security reports without compensation and said he would stop maintaining the project in December.
[1] https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/
90 days, huh? (Score:3)
> Google Project Zero policy announced in July that publicly discloses reported vulnerabilities within a week and starts a ninety-day countdown to full disclosure regardless of patch availability
What's tempting here is finding some 9.x-level vulnerability in some Google product, create a CVE, publish it and, in the same vein as Google, do full disclosure within 90 hours and see how Google likes them apples.
Re: (Score:2)
It used to be 30 days. Apple and Microsoft complained because it didn't give enough time to analyze the problem, fix it, test it, and then do a proper rollout to ensure there weren't unexpected side effects in 30 days.
I think what happened was a kernel flaw, meaning a fix could severely impact other subsystems in the OS and thus a fix would need to be carefully done and a properly staged rollout.
The problem isn't the AI tools - Project Zero has real researchers doing real analysis and making sure those AI i
Fixing CVE Slop? (Score:3)
Wait if it is CVE Slop why not just label WONTFIX and move on? Something doesn't add up here.
Re: Fixing CVE Slop? (Score:3)
I think the overall quantity of this sort of thing means you need to fix the issue to avoid further slop. Even if WONTFIX stops Google from re-reporting the bug (a big IF), it won't stop other entities from running the same sorts of checks.
It's an overwhelming rush of stupid niggling details that don't really matter but will ultimately create too much work if it's unaddressed. Like if you have a web app and everyone's complaining about the color scheme, you should fix the color scheme even if it doesn't mat
Re: Fixing CVE Slop? (Score:3)
Adding one more thing: bug reports should require an impact assessment. If the AI properly reports the bug will only impact people running on a video game console from 1995, the maintainers can properly prioritize it as a bug, but one no one should care about. Not WONTFIX exactly, but prioritized last among all issues in the project.
One things that's hurting us I think is this idea that a security problem overrides all other problems. So bad actors are essentially couching feature requests as security probl
Re: (Score:2)
Maybe a bug in reading an obscure 1995 file format doesn't deserve a 90-day countdown clock since it impacts such a small number of people. That seems like the problem to me, an automated process run amok outside of its original assumptions.
Re: Fixing CVE Slop? (Score:2)
> Like if you have a web app and everyone's complaining about the color scheme, you should fix the color scheme
How many it is so you think it would take to complain to Slashdot to get a dark theme enabled?
Re: (Score:1)
Because someone still has to take time to read the slop. Over and over. That's the kind of thing that makes volunteers go volunteer somewhere else. And this shit is going to snowball; if Google keeps getting away with it so will other companies, then it will be students testing out their AI hacking skills. It’s better to send a public message to Google before the situation gets bad.
Re: (Score:2)
> Because someone still has to take time to read the slop. Over and over.
That work sounds like a great candidate to offload onto AI!
Re: (Score:1)
The problem is one of outsourcing. All these well-funded organisations are building their products on top of FOSS and making the maintainers work for them for free. On top of treating them like free workers they then start placing demands on the timeliness of fixes. I don't think it's unreasonable for FFmpeg and other similarly abused projects to start expecting funding.
Isn't this the idea? (Score:3)
I'm really torn on this.
Free Software benefits from bug reports - eventually the software gets better. Big corporations don't compensate - which sucks, but is part of the deal when you decide you're writing Free Software. You're not writing to be compensated, you're writing to "scratch an itch".
Can't fix all bugs? Then... Don't. Eventually whoever has most to lose is bound to step up and help. At any rate nobody gets to tell you whether or how fast to fix a big or implement a feature, if you're not on their payroll... that's the flip side that works to the Free Software Dev's advantage.
Bothered by the premature disclosure? Why? A security issue still is a security issue; better to know about it than not, fpr everyone involved.
Re: (Score:3)
> You're not writing to be compensated, you're writing to "scratch an itch".
True, but with many popular OSS projects, that "itch" becomes a permanent rash (constant demands for features/fixes, unpaid) that drive developers to burnout.
So then there's really only a few choices:
1. close the source, or also use a less permissive license that perhaps requires paid contract for commercial use etc.
2. large companies whose products depend on those projects help fund it, or,
3. dev burns out, leaving the project in limbo (or a bunch of proprietary forks) making it less popular/supported.
Re: Isn't this the idea? (Score:1)
Why?
You don't need to treat someone else's itch/rash, just your own. Prioritize and fix bugs by your own criteria, in your own time. You're not "supporting" anyone's product, you're building your own.
Nobody has any kind of hold over you; they either use your product as it is, or they can build their own, it's that simple.
It only becomes complicated once you attach your own pride and self-worth to the existence of a "large user base".
You're obviously not a maintainer of a popular pro (Score:1)
Clearly, you're not a maintainer of a popular project. Otherwise you'd know ignoring requests doesn't get rid of the trolls (the kind like you).
Re: (Score:2)
But thats the entire point - at that point you arent scratching your own itch, you are voluntarily scratching someone elses.
If people stuck to scratching their own itches, we would either have fewer large projects or more involvement from users who are scratching their own itches.
But in the meantime, many OSS projects exist on the following flow:
1. Scratch your own itch, and make the solution public because it might help out others
2. Someone else finds your scratching to be valuable to them, so uses your so
Re: (Score:2)
4. Ignore the demands for features/fixes and just do what you want.
Re: Isn't this the idea? (Score:3)
A company like Google could even contribute quality fixes, but by humans. Asking volunteers to solve a problem that the multi-million dollar company is benefiting from is cheap and spiteful, especially if said company provides no value to the project.
Re: Isn't this the idea? (Score:2)
Nobody's asking anybody anything. Submitting bug reports (if they're valid and good) isn't asking, it's helping: knowing if and where your software fails is bettet than not knowing, regardless of whether you decide to fix it or not.
Re:Isn't this the idea? (Score:4, Insightful)
Google appears to have understaken the expense of spinning up an ocean-boiling slop machine to automagically generate plausible bug reports, and then casually fire off an email to the maintainers.
Note that Google has not undertaken the expense of assigning an engineer to also write a fix.
That they are not doing that is a conscious, management-approved choice.
...Y'know how Google relishes in closing bug reports with "WONTFIX - Working as designed?" I think FFmpeg should close slop reports from Google with, "WONTFIX - Unfunded."
Re: Isn't this the idea? (Score:2)
Yeah, in this case the people running FFMPEG on a console from 1995 can address the security problem if they think it's needed.
Re: (Score:2)
So why wait at all just release the bugs you found. So if you find a vulnerability in Chrome don't even bother sending an email to Google. Eventually Google will find out and fix the bug. /s
Good for FFmpeg - Shame on Google, Apple, Amazon (Score:1)
The giants make use of FFmpeg probably in nearly every product they build, ship and download. I'm surprised they don't already pay some sort of support to the open source community - ffmpeg in particular.
Re: (Score:2)
Companies are notorious for not recognizing the derived value they get from open source software and recognizing that if they want to keep using them without taking on the burden of self-maintenance, they should pony up some funds to those who are maintaining it. The managers with the ability to spend funds have binders on resulting in vary narrow vision.
Change your licensing model (Score:2)
I switched the licensing model on my Open Source project (iframe-resizer) from MIT to GPLv3 + Commercial license options for non GPL projects. Most business don’t want to distribute under the GPL, and are willing to pay to get around it.
You can offer a fix fee for smaller businesses and an individually negotiated annual licenses for majors like Google.
I’m in my second year of running like this, and the extra income has enabled me to invest a lot more time into the project, than I otherwis
If it's a real bug ... (Score:2)
... then what's the problem?
Corporate policy (Score:2)
Google could create a new corporate policy to provide a minimum of $1M/year to any open source project it uses.
That would be real innovation.
The effect on Google's bottom line would be completely negligible, not even a rounding error on a rounding error.
If $1M is more than necessary, make it $100K, or whatever is appropriate, but substantial. Fund at least be definitely on every project it uses.
Invite its peers to do the same.
If AI can find and report the bug... (Score:3)
then surely AI can also include the fix...
Without compensation? (Score:2)
Why does he need compensation? People don't pay for music, or movies, or software, why should he be any different and get paid for the work he did?
Mail server tweak (Score:4, Insightful)
Modify your mail server to return all emails from google to sender with status=Undelivered. If they haven't delivered the message, their bots may spot it and not start the countdown.
Bonus:
Allow only those emails in that carry a bitcoin pre-payment or a gift card code.
Re: Mail server tweak (Score:2)
Or they might decide the devs are unable to be contacted and the vulnerability should be immediately released.