Free and Open Source Software

20627 readers

32 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago

MODERATORS

Gaywallet@beehaw.org

alyaza@beehaw.org

223

FFmpeg to Google: Fund Us or Stop Sending Bugs (thenewstack.io)

submitted 5 days ago by als@lemmy.blahaj.zone to c/foss@beehaw.org

52 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] moonpiedumplings@programming.dev 1 points 3 days ago (1 children)

Project Zero

Project zero was entirely humans though, no GenAI. Project big sleep has been reliable so far, but there is no real reason for ffmpeg developers to value project big sleeps 6.0 CVE's over potentially real more critical CVEs. The problem is that Google's security team would still be breathing down the necks of these developers and demanding fixes for the vulns they submitted, which is kinda BS when they aren't chipping in at all.

Anyway there’s a big difference between submitting concrete input data that causes an observable crash, and sending a pile of useless spew from a static analyzer and saying “here, have fun”

Nah, the actually fake bug reports also often have fake "test cases". That's what makes the LLM generated bug reports so difficult to deal with.

[–] solrize@lemmy.ml 1 points 3 days ago

6.0 is pretty serious according to the rubric. Are there some worse ones? Yes Google is acting obnoxious per your description. It makes no sense to me that they are balking about supplying some funds. They used to be fairly forthcoming with such support.

I can imagine a CI system for bug reports where you put in the test case and it gets run under the real software to confirm whether an error results, if one has been claimed. No error => invalid test case.