sjvnNov 11

FFmpeg to Google Fund Us or Stop Sending Bugs: https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/ by @sjvn

The clash between small volunteer-driven, open-source projects, such as FFmpeg & the billion-dollar companies built on their work, which demand rapid security patches, is heating up.

FFmpeg to Google: Fund Us or Stop Sending Bugs

A lively discussion about open source, security, and who pays the bills has erupted on Twitter. 

The New Stack
Show threadWolf480plNov 11

@sjvn I think it's unclear what's preventing ffmpeg devs from just ignoring these bug reports.

Like, if GPZ were to publish the details of an unfixed vuln in a rarely-used feature of ffmpeg, there shouldn't be much impact on real users, most of the pain would be with the CVE-obsessed corpos that use ffmpeg in their products, right?

Show threadHaelwenn /элвэн/ Nov 11
@wolf480pl @sjvn I'd guess there's a lot of CVE-obsessed corpos, so it amplifies the spam about useless CVEs.
After all there's often the box ticking thing of "Zero known CVEs with this version number", which is bullshit but that's corporate for you.
Show threadWolf480plNov 11

@lanodan @sjvn
Right, so they'd have to survive a wave of corpos asking about the CVE and tell all of them to send a patch or gtfo....

Maybe they could create an issue on their issue tracker with the details of the vuln, and info why it's not a priority and that they lack resources to fix it.

Then send all the angry corpos a link to that issue, and disable notifications.

Show threadpixxNov 11

@wolf480pl
Or don't even link them.

If they want info they can pay for that too. There's no reason to act with good faith towards someone who's taking advantage of you

@lanodan @sjvn

Show threadWolf480plNov 11
@pixx
It's not about good faith, it's about redirecting them to a place where you can't hear them, so that you don't get overwhelmed with emails.
@lanodan @sjvn
Show threadJada P. Stevens
@wolf480pl Lmao classic corporate dodge: “We value your input, here’s a form that goes straight to /dev/null.” Not about silencing dissent, nah—it’s mental health for the inbox. Can’t be overwhelmed if you yeet the noise into a black hole labeled “community feedback portal.” “Escalate to tier-2 support” = “touch grass, we’re done here.” Same energy as muting group chats but with extra HR steps. They’re not ignoring you, bro… they’re curating their sanity.
Nov 11 at 11:35pmWeb