- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
You must log in or # to comment.
“This library comes with ABSOLUTELY NO WARRANTY”
- “But the 1995 rebel assault build tho.”
This reminds me of that time there was a critical vulnerability in some core open source library that basically everyone depends on, and there was no one around to fix it or something. I want to say it was 2015? I can’t remember the name of the software package.
OpenSSL?
I think that might have been it.
xz?
Someone else said OpenSSL. I think that’s what it was.
I mean, bugs are bugs. It’s not like Google makes them they are there. It’s up to ffmpeg to decide if they shoul care or not
But in general I think companies who rely on opensource need to contribute more.
I mean, bugs are bugs. It’s not like Google makes them they are there.
No but there are big bugs and small bugs and it sound like Google’s AI bug finder is flooding them with small bugs that don’t effect the security or end product so much. But some unpaid volunteer from FFMpeg has to check them all out regardless. And Google getting pissy about it doesn’t help.
Sounds like a prioritization issue. They could configure the git bots to automatically flags all these as “AI-reported” and filter them out from their TODO, considering them low priority by default, unless/until someone starts commenting on the ticket and bringing it up to their attention / legitimizing it.
EDIT: ok, I just read about the 90-days policy… I feel then the problem is not the reporting, but the further actions Google plans based on an automated tool that seems to be inadequate to judge the severity of each issue.
The bug in this case was a vulnerability in 1995’s rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Okay so, the same industry that is trying to kill video games is now worried that a game from 30 years ago nobody ever heard of has a bug?
Google needs to go back to taking their meds.
Yes, but still a bug. Ffmpeg could just have said "OK. We not gonna patch that "
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we’re not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, “don’t use FFmpeg for this use case or you’ll be hacked,” would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?
All these company execs know is exploitation, and it’s hilarious to see how immature they act when they don’t get their way.
You think this even shows up on the radar of company execs?
I imagine they’d be aware of it if YouTube just suddenly stopped working
Man, I loved that line about how they could shut down three Amazon projects with a single email. That small bit of leverage against these parasites is all they have.
“Allow me to interject and explain the four liberties…” (Or, goto fsfe.org/freesoftware )
If I understand correctly the biggest issue for FFMPEG and other projects is not only the Google and Microsoft that use them without giving back, but their chosen License. They gave permission to corporations to do this. One of the potential ways to fix this situation, is to change the license. For example from LGPL to AGPL. And then they can sell the legalese package of allowing them to break their license. The biggest difficulty is that, as a project, they’d need consent from every past and future contributors. So, yeah. I get it. This is a mess.
It would be way more easier if more corporations donated to open source projects… There’s too much labour that’s invisible
I don’t understand what switching from a permissive license would do here.
AGPL is more “copyleft”, but not really more “permissive”, in the sense that AGPL adds the extra requirement of forcing server admins to provide the sourcecode to the users of any service that internally makes use of AGPL code.
It plugs a loophole of the other GPL licenses that allows companies to not share any custom modifications as long as they don’t directly share the binaries (they can offer a service using internally modified binaries, but as long as they don’t distribute the binaries themselves they don’t have to share the source code from those modifications running on their private servers, even if they are GPL).
However, I don’t think a license change would really solve this particular bug-reporting trouble. Most likely Google has not patched these vulnerabilities internally either, or at least the biggest chunk of them (since most of them are apparently edge cases that would most likely not apply to Google’s services anyway).
I mean, I understand the licenses, I just have the same reservation you addressed at the end: I don’t see how the licensing scheme would affect bug reporting.
Some GPLv2 projects monetize by selling: support, extension via custom features, or simply the permission for a commercial use. This is possible, and it’s what I called “the legalese package”. Imagine ffmpeg being able to charge every year any amount they want to the biggest clients, like GAFAM. Yet you’re still able to use it non commercially… To be fair, there’re some middle uses, that get the disadvantage of having to break the license or ask for permission. For example, if you create anything with ffmpeg, then as an indie dev you’d need to launch your product breaking the license or paying them… But even so, situation is manageable (e.g. ffmpeg could spare you and/ or give a 1 year permission to small businesses)
It’s unclear what you are trying to say. The question was what would switching license do. There’s 2 scenarios: 1) either Google is really not doing changes in ffmpeg source internally right now …or 2) they are in fact making changes to it internally (perhaps for encoding with their own codecs, etc.) which they are not releasing back to the public (since the code is LGPL, and not AGPL)
With situation 1, they can simply continue using ffmpeg, even if it were to switch to AGPL. They would have no need/obligation to release anything, whether they decide to fund development or not. The way I see it, only if it’s situation 2, will Google be affected by a license change. However, if the use they make of ffmpeg is just to have their own encoder program for use with specific codecs, they might as well decide to stop using ffmpeg for this purpose instead and have their own program to work with their encoders. Most of the encoding work is already being done in the encoding libraries separately released (like libaom, which Google licensed under BSD-2).
But even in the rare case of Google having made changes that (after license change) they would suddenly decide to be willing to share with the community despite having not done so before… the whole problem with this bug-reporting mess is that most of the issues reported by the automated tools aren’t something really that impactful/important, they are things that even Google would not really be that interested to fix… (why would Google need to fix a codec that only affects a videogame cinematic from 1995?). These reports are just the result of automated & indiscriminated AI analysis, slop.
I appreciate the lengthy answer, I just don’t understand what this has to do with bugs.
How ironic. Recently, Google stepped up their game of “let’s kill open source Android”, and when THEY need something done, unpaid open source laborers are supposed to throw away everything and jump on the issue. What’s wrong, Google? The source code for Android 16 QPR1 was supposed to come out “in a few weeks”. They said that on September 10th. Maybe FFmpeg should fix these issues reported by Google “in a few weeks” too?
They are like viruses that kill their host. Mindless greed with no forecast or hindsight.
It was all over the second Google changed their motto from “don’t be evil”.
FFmpeg has every right to ask this. Google can’t expect to extract free labour from the community.
Isn’t that the definition of open source seen from commercial entities
The fucking gas lighting in this response
Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them
“We ran AI that may or may not have found a legitimate issue, and you’re not looking into it for us fast enough. That’s going to drive away new volunteers that we need”
They do sponsor a lot of open source projects though. ffmpeg should be one of them.
If ffmpeg was not an open source project, and somebody submitted a super obscure ai surfaced bug
The bug would be fixed exactly never
I fail to see how funding them would change that
Sure, if we forget about specifics for a bit, in general terms it does sound reasonable. And they should be sponsoring ffmpeg anyway as they are using it.
However some bug reports should just not happen in the first place
If Google said, look we know we send a lot of bug reports, here’s 50MM a year, go hire a team of dedicated developers to deal with our nonsense, we don’t have the expertise in house to train them on this codebase. I doubt anyone would be complaining.
Nothing wrong with fixing bugs even if they are obscure if you have the time and resources.
I think it’s about driving away financial sponsors, not volunteer developers. So the last sentence is “That’s going to drive away people who want to give you money and make OUR product worse and our lives harder.”
Greedy tech should pay. No question about it.
They should either get GPL’d or forced to pay.
Could be worse, at least Google isn’t opening tickets as high priority asking basic questions on how to use ffmpeg.
Unlike the Microsoft teams devs: https://trac.ffmpeg.org/ticket/10341 Really funny to go “this is a high priority ticket” as if they’ve paid to use ffmpeg in teams.
I would have replied with ‘high priority for whom?’ or ‘high priority enough to pay?’
I looked up this Zied Aouina lad and his posts on LinkedIn are…😨
The last reply is great.
That is next-level snark and I’m about it
I presume that’s not actually Elon Musk in the replies…
That is actually Fellon Flask!
It is not
Jesus christ lmao
I love you ffmpeg
Its insane just how important it is and the vast majority of the world doesn’t even know it exists. Truly unsung heroes (everyone who works on it).
I’m surprised nobody posted the xkcd comic. I think Randall had ImageMagick in mind (he names it in the alt text) but it applies to ffmpeg as well.
I’ll bite!
I always used to think about curl when I see that comic. Maybe less important in recent years but still a corner stone.
Curl is less important in the cloudverse?
Ffmpeg has been such cool software to learn. Simple filter chains can do incredible things
Please, go on!
Well for instance you can use it to apply tranparencys or other effects using the geq filter. It applies a formula to every pixel in the input and can adjust alpha, rgb values, and gamma. You can also use conditionals in your formula and have access to the current pixels location and value, so you can apply your transforms only to specific regions if you want, or do an adjustment keyed only to a specific color.
You’re talking about green screen right? :D
Have you seen this? Green screen on crack.
That and more really. You could use it to do a green screen effect, but you can also use it to adjust color balance, brightness or do weirder things like swapping values between colors. It gets really crazy when you are working with full video because the time of the current frame is also available to be incorporated, so you can even do animated effects.
Another powerful filter is the convolve filter. That allows you to apply matrix transformations, which can for example be used to apply a homography matrix and adjust a videos perspective.
If I had an open source program that is being used by fuckers like Google, who can afford to pay but don’t, and then come in and demand shit. I’d just ignore them and pretend they don’t exist and continue with my life. Let them bark until they’re blue in the face. But first I’d put this as the first line in the README.md “if you’re a big corporation and need help, come with money. Otherwise, please don’t bother me”.
Not only that they have the money, but Google is actively working to lock down their streaming platform (YouTube) against third-parties and they have basically yanked the rug for their OS platform, while adding requirements for developers to sideload.
Their entire direction is antagonistic and in opposition to the core concepts of FOSS
The problem is that some small but non-zero fraction of these bugs may be exploitable security flaws with the software, and these bug reports are on the open internet. So if they just ignore them all, they risk overlooking a genuine vulnerability that a bad actor can then more easily find and use. Then the FOSS project gets the blame, because the bug report was there, they should have fixed it!
I agree that this is a problem.
“Responsible disclosure” is a thing where an organization is given time to fix their code and deploy before the vulnerability is made public. Failing to fix the issue in a reasonable time, especially a timeline that your org has publicly agreed to, will cause reputational harm and is thus an incentive to write good code that is free of vulns and to remediate ones when they are identified.
This breaks down when the “organization” in question is just a few people with some free time who made something so fundamentally awesome that the world depends on it and have never been compensated for their incredible contributions to everyone.
“Responsible disclosure” in this case needs a bit of a redesign when the org is volunteer work instead of a company making profit. There’s no real reputational harm to ffmpeg, since users don’t necessarily know they use it, but the broader community recognizes the risk, and the maintainers feel obligated to fix issues. Additionally, a publicly disclosed vulnerability puts tons of innocent users at risk.
I don’t dislike AI-based code analysis. It can theoretically prevent zero-days when someone malicious else finds an issue first, but running AI tools against that xkcd-tiny-block and expecting that the maintainers have the ability to fit into a billion-dollar-company’s timeline is unreasonable. Google et al. should keep risks or vulnerabilities private when disclosing them to FOSS maintainers instead of holding them to the same standard as a corporation by posting issues to a git repo.
A RCE or similar critical issue in ffmpeg would be a real issue with widespread impact, given how broadly it is used. That suggests that it should be broadly supported. The social contract with LGPL, GPL, and FOSS in general is that code is released ‘as is, with no warranty’. Want to fix a problem, go for it! Only calling out problem just makes you a dick: Google, Amazon, Microsoft, 100’s of others.
As many have already stated: If a grossly profitable business depends on a “tiny” piece of code they aren’t paying for, they have two options: pay for the code (fund maintenance) or make their own. I’d also support a few headlines like “New Google Chrome vulnerability will let hackers steal you children and house!” or “watching this youtube video will set your computer on fire!”
The main issue there is that project zero, where if you ignore what Google has reported, they will just go ahead and disclose the issue.
That was an incredibly interesting read, and I learned a lot! Thank you for posting it!
It’s genuinely infuriating that so much labor is simply stolen, in so many different ways, from people with a passion for what they do, and turned into profit for some mega corp, with the vast majority funneled to a few people completely unrelated to
theany work.Nothing was stolen. The authors choose to give it away, for free, with no strings. That’s not theft.
No one forced them to choose that license, and no one forced anyone to contribute to that project.
Anyone who doesn’t work for themselves is getting their labor stolen, and that includes me. The name for this type of systemic crime is “capitalism.”
Not if you are being compensated for your labour. The actual crime that describes stolen labour is “slavery”
I think you could make an argument that being compensated for your labour, but way under the value your labour produces and also under the constant threat of homelessness and starvation if you don’t do it is still an unethical system.
Even if the license allow to use it commercially I don’t think this is allow to abuse it when the only brake restricting you from donating is capitalism. These companies worth more than 3T, and they are thinking long to donate to their fondations…
They’re profiting from FOSS, nobody is trying to prevent them from doing so, but they refuse to spend small amounts of money helping out part-time coders … and you know why. That money is going to the mid-level managers themselves.
Do the right thing and help your company in the medium run, or pocket chump change? Yeah, easy answer.
Source: trust me bro
Middle managers don’t get to pocket any of the unspent budget. That’s crazy talk.
