You must log in or register to comment.
FFmpeg has every right to ask this. Google can’t expect to extract free labour from the community.
How ironic. Recently, Google stepped up their game of “let’s kill open source Android”, and when THEY need something done, unpaid open source laborers are supposed to throw away everything and jump on the issue. What’s wrong, Google? The source code for Android 16 QPR1 was supposed to come out “in a few weeks”. They said that on September 10th. Maybe FFmpeg should fix these issues reported by Google “in a few weeks” too?
Greedy tech should pay. No question about it.
They should either get GPL’d or forced to pay.
But what will our llms do?!
They are welcome to fix the bugs themselves and make it public. Valve have done a fair bit of that with making windows games run on Linux IIRC.
They could even use their LLMs to fix the bugs, and everyone else can reject the shitty bugs it creates.
That was an incredibly interesting read, and I learned a lot! Thank you for posting it!
It’s genuinely infuriating that so much labor is simply stolen, in so many different ways, from people with a passion for what they do, and turned into profit for some mega corp, with the vast majority funneled to a few people completely unrelated to
theany work.The fucking gas lighting in this response
Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them
“We ran AI that may or may not have found a legitimate issue, and you’re not looking into it for us fast enough. That’s going to drive away new volunteers that we need”
If I had an open source program that is being used by fuckers like Google, who can afford to pay but don’t, and then come in and demand shit. I’d just ignore them and pretend they don’t exist and continue with my life. Let them bark until they’re blue in the face. But first I’d put this as the first line in the README.md “if you’re a big corporation and need help, come with money. Otherwise, please don’t bother me”.
Not only that they have the money, but Google is actively working to lock down their streaming platform (YouTube) against third-parties and they have basically yanked the rug for their OS platform, while adding requirements for developers to sideload.
Their entire direction is antagonistic and in opposition to the core concepts of FOSS
The problem is that some small but non-zero fraction of these bugs may be exploitable security flaws with the software, and these bug reports are on the open internet. So if they just ignore them all, they risk overlooking a genuine vulnerability that a bad actor can then more easily find and use. Then the FOSS project gets the blame, because the bug report was there, they should have fixed it!
The main issue there is that project zero, where if you ignore what Google has reported, they will just go ahead and disclose the issue.
Could be worse, at least Google isn’t opening tickets as high priority asking basic questions on how to use ffmpeg.
Unlike the Microsoft teams devs: https://trac.ffmpeg.org/ticket/10341 Really funny to go “this is a high priority ticket” as if they’ve paid to use ffmpeg in teams.
The last reply is great.
I presume that’s not actually Elon Musk in the replies…
That is actually Fellon Flask!
It is not
Jesus christ lmao
They should just call this an incomplete AI output. If the AI is so good, it should create the fix, add tests, and ensure nothing else breaks.
Then file the bug back to them
I haven’t read it yet so maybe this opinion may be slightly off topic but I think there is nothing wrong Google Sending bug reports. It only gets fucked when they actually request features
Google spent money to find bugs but won’t spend money to fix them. That simply makes the devs’ lives worse. It’s an asshole move.
I agree… I mean they are not forced to fix the issues, if the issue is obscure and not many people are affected, then there’s no reason why they can’t just mark it as “patches welcome” and leave it there. I feel this is a problem in the policy the project might have for prioritization, not really a problem in QA / issue report.
For context:
The latest episode was sparked after a Google AI agent found an especially obscure bug in FFmpeg. How obscure? This “medium impact issue in ffmpeg,” which the FFmpeg developers did patch, is “an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
To me, the problem shouldn’t be the report, but categorizing it as “medium impact” if they think fixing it isn’t “a valuable use of an assembly programmer’s time”.
Also:
the former maintainer of libxml2 […] recently resigned from maintaining libxml2 because he had to “spend several hours each week dealing with security issues reported by third parties. Most of these issues aren’t critical, but it’s still a lot of work.
Would it be truely better if the issues wouldn’t be reported? what’s the difference between the issue not being reported and the issue not being fixed because it’s not seen as a priority?
what’s the difference between the issue not being reported and the issue not being fixed because it’s not seen as a priority
Triaging and investigation take time. Plus having a bunch of open security issues even if they’re not critical destroys public confidence in the software
Sure, but if it wasn’t triaged why consider it “medium impact”? I feel when tight on resources, it’s best to default to “low priority” for all issues whose effect (ie. to the end-user, or to the software depending on it) isn’t clearly scoped and explained by the reporter. If the reporters (or those affected) have not done the job to make it easy to quickly see why it’s important to have this fixed then it’s probably not so important for them to have it fixed. Some projects even have bots that automatically close issues whenever there has not been activity for a certain time (though I’d prefer labeling it / categorizing as “low engagement” or something so it can be filtered out when swamped, instead of simply closing it).
About “public confidence”, I feel that this would rather be “misplaced confidence” if it’s based on a number that is “massaged” to hide issues. Also this is an open source project we are talking about, there isn’t an investment fund behind it or a need for people to have absolute loyalty or blind trust. The code is objectively there, the trust should never be blind. If there wasn’t a long list of reports I’d be more suspicious of a project as popular, frequently updated & ubiquitous as ffmpeg. Specially if they are (allegedly) not triaged. Anyone who decides to choose ffmpeg based on the number of issues open without actually investigating from their end how relevant that number actually is… well… they can go look for a different software.
They’re profiting from FOSS, nobody is trying to prevent them from doing so, but they refuse to spend small amounts of money helping out part-time coders … and you know why. That money is going to the mid-level managers themselves.
Do the right thing and help your company in the medium run, or pocket chump change? Yeah, easy answer.
Surely Google has the resources to fix the bugs themselves. Most FOSS projects probably appreciate code contributions more than money.
I can’t say I’ve ever sent a security related bug report without at least some work done trying to understand how to fix it. Surely the caliber of people working for Project Zero can do that too, otherwise hi Google I’ll take one job please.
this would probably just lead to the corporation taking more and more of a role until thet take over development of the FOSS projects they care about, which is a particular nightmare I would prefer to avoid
was upset enough when Microsoft bought Github
there are some teams in companies like this where management doesn’t want to account for upstreaming and some engineers are happy to open a bug report, move the ticket to blocked, and move on to something else
I love you ffmpeg
Its insane just how important it is and the vast majority of the world doesn’t even know it exists. Truly unsung heroes (everyone who works on it).
I’m surprised nobody posted the xkcd comic. I think Randall had ImageMagick in mind (he names it in the alt text) but it applies to ffmpeg as well.
I always used to think about curl when I see that comic. Maybe less important in recent years but still a corner stone.
Curl is less important in the cloudverse?
Ffmpeg has been such cool software to learn. Simple filter chains can do incredible things
Please, go on!
Well for instance you can use it to apply tranparencys or other effects using the geq filter. It applies a formula to every pixel in the input and can adjust alpha, rgb values, and gamma. You can also use conditionals in your formula and have access to the current pixels location and value, so you can apply your transforms only to specific regions if you want, or do an adjustment keyed only to a specific color.
You’re talking about green screen right? :D
Have you seen this? Green screen on crack.
With how short a time they give, if I wanted to cause chaos and previously had to do hard work to find big flaws, now all I have to do is sit back and wait for google to hand me the keys to someone else’s system now.
this is the correct attitude against these bastards.
