Many in the FFmpeg community argue, with reason, that it is unreasonable for a trillion-dollar corporation like Google, which heavily relies on FFmpeg in its products, to shift the workload of fixing vulnerabilities to unpaid volunteers.
Google may once have felt an obligation to support the open source software they rely on, but that day’s long gone. They have become nothing more than a skeleton of distilled capitalism, shedding the pretense of being of benefit to society along with their “Don’t be evil” motto.
Google’s behavior makes perfect sense with the understanding that every single move, no matter how small, is only about generating more revenue.
lmmarsano@lemmynsfw.com 4 months ago
They’re bug reports: no one needs to fix them. This problem is solved easily enough by letting the chips fall.
If companies want them fixed badly enough, they can send bug fixes, which is much cheaper than the alternative (paying more engineers to develop a non-open alternative). Those companies have at least as much interest as anyone to keep that software maintained & secure.
The truth is never a bad thing. They don’t need to care. A bug is a bug: better to know than not.
nandeEbisu@lemmy.world 4 months ago
Security vulnerabilities are different, especially when they also put a 90 day disclosure period in it which is more severe for a security exploit.
That disclosure bit, not in the article, is really what tipped this all over the edge. If it was just hey, here’s a bug then its really just flooding the backlog for the maintainers who need to triage that. Disclosures are often used so people are aware that they’re using libraries that the maintainer has refused to patch, but in this case its really just holding the maintainers hostage so they end up wasting their time going through irrelevant issues.
Ideally, they would either use their supposedly capable and powerful AI code gen to just make a fix and send over a patch, or at least use LLMs on their own end to triage the issues and only send over the most sever X periodically.
lmmarsano@lemmynsfw.com 4 months ago
No, it’s still open source work, completely voluntary in the free world.
No, they merely tell reality: an unresolved security issue was found. How anyone handles that is their business. There is no inherent duty.
People who would rather write a fix than write & maintain their own daunting library will send a fix.
If someone’s getting paid, and it’s not worth the work, then that is also their business. It’s still open source. If the solution saves more effort than doing it yourself, then the people who need it won’t just let it all go to waste.
This is entirely a social issue of managing & rebuffing unrealistic expectations. It’s perfectly valid to set boundaries, remind folks beggars can’t be choosers, and tell them pitching in gets more done.
Taldan@lemmy.world 4 months ago
The truth can absolutely be a bad thing. If google reports an important vulnerability, then buries it in CVE slop for 90 days, and publicly announces details of the important vulnerability that hasn’t been fixed yet, it would be worse than if they had never reported it
The 90-day publishing window is tough when OSS projects are getting buried in AI slop reports
lmmarsano@lemmynsfw.com 4 months ago
Then Google would have to put out of the fire of that vulnerability in their dependent software.
Not disclosing a vulnerability doesn’t stop attackers from exploiting it. A report simply indicates someone who noticed bothered to report it.
The problem is the vulnerability. False urgency is nothing more: the maintainers don’t need to “meet the window”. Companies will be left with their pants on fire if they don’t act, too: it’s everybody’s problem. Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.