I mean, bugs are bugs. It’s not like Google makes them they are there.
No but there are big bugs and small bugs and it sound like Google’s AI bug finder is flooding them with small bugs that don’t effect the security or end product so much. But some unpaid volunteer from FFMpeg has to check them all out regardless. And Google getting pissy about it doesn’t help.
Sounds like a prioritization issue. They could configure the git bots to automatically flags all these as “AI-reported” and filter them out from their TODO, considering them low priority by default, unless/until someone starts commenting on the ticket and bringing it up to their attention / legitimizing it.
EDIT: ok, I just read about the 90-days policy… I feel then the problem is not the reporting, but the further actions Google plans based on an automated tool that seems to be inadequate to judge the severity of each issue.
The bug in this case was a vulnerability in 1995’s rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we’re not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, “don’t use FFmpeg for this use case or you’ll be hacked,” would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?
No but there are big bugs and small bugs and it sound like Google’s AI bug finder is flooding them with small bugs that don’t effect the security or end product so much. But some unpaid volunteer from FFMpeg has to check them all out regardless. And Google getting pissy about it doesn’t help.
Sounds like a prioritization issue. They could configure the git bots to automatically flags all these as “AI-reported” and filter them out from their TODO, considering them low priority by default, unless/until someone starts commenting on the ticket and bringing it up to their attention / legitimizing it.
EDIT: ok, I just read about the 90-days policy… I feel then the problem is not the reporting, but the further actions Google plans based on an automated tool that seems to be inadequate to judge the severity of each issue.
The bug in this case was a vulnerability in 1995’s rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Okay so, the same industry that is trying to kill video games is now worried that a game from 30 years ago nobody ever heard of has a bug?
Google needs to go back to taking their meds.
Yes, but still a bug. Ffmpeg could just have said "OK. We not gonna patch that "
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we’re not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, “don’t use FFmpeg for this use case or you’ll be hacked,” would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?