Free and Open Source Software

20620 readers

5 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago

MODERATORS

Gaywallet@beehaw.org

alyaza@beehaw.org

222

FFmpeg to Google: Fund Us or Stop Sending Bugs (thenewstack.io)

submitted 4 days ago by als@lemmy.blahaj.zone to c/foss@beehaw.org

52 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Endymion_Mallorn@kbin.melroy.org 48 points 4 days ago (1 children)

I mean, the simple solution is to do the same as curl's dev: If it's AI, it's ignored. If it's a corporation who hasn't had recent code published in the codebase, it's ignored. Bugs and vulnerabilities should be human-reported by the community.

That's the way forward for FOSS - ignore the corps. Then start rebasing on exclusively non-commercial licenses.

[–] solrize@lemmy.ml 27 points 4 days ago* (last edited 4 days ago) (1 children)

AI reports are ignored because they are so frequently crap that they are almost not worth investigating. If these ffmpeg reports are from Project Zero though, they are presumably real. Shipping code with vulnerabilities is always a terrible idea. If Google can find them, attackers can also find them.

I do have to wonder how many of these vulnerabilities are actually in the assembly language parts of the codecs. I had guessed they were more likely to be at the higher levels.