If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
I mean, the simple solution is to do the same as curl's dev: If it's AI, it's ignored. If it's a corporation who hasn't had recent code published in the codebase, it's ignored. Bugs and vulnerabilities should be human-reported by the community.
That's the way forward for FOSS - ignore the corps. Then start rebasing on exclusively non-commercial licenses.
AI reports are ignored because they are so frequently crap that they are almost not worth investigating. If these ffmpeg reports are from Project Zero though, they are presumably real. Shipping code with vulnerabilities is always a terrible idea. If Google can find them, attackers can also find them.
I do have to wonder how many of these vulnerabilities are actually in the assembly language parts of the codecs. I had guessed they were more likely to be at the higher levels.
What happened to forking these projects and going their own route? If they're so confidant in AI, they could just vibe code their way through.
if Google has the resources to put AI to slop bug reports, then it also has the resources to put AI to also post the fixes. So, they should get going. No one owes Google of all corporations free labour.
I think the last thing ffmpeg devs want is AI generated bugfixes to their assembly-heavy codebase. What they should do is dedicate time for experienced devs to fix the bugs instead.
ffmpeg devs can refuse the AI generated bugfixes for all we care. What I'm heading at is if Google is going to spend AI on posting a problem, then they should also post the solution. At their own expense.
ffmpeg devs can refuse the AI generated bugfixes for all we care.
This is a separate problem, but it's still a problem. Many projects have seen a rise in slop PRs. curl is notorious for complaining about AI slop vulnerabilities and patch requests.
But I think we both agree that Google needs to be doing something more rather than putting the workload entirely on the ffmpeg devs.
Agree! I hereby propose that Google forwards US$1000 to the developers each time the AI signals a bug. Don't even need to write it off as expense, it's just "investment on QA".
Better suggestion: Stop using AI to do any of this shit. Security research and vulnerability patching should not be reliant upon de facto black-box random number generators.
I have no issue with using AI to find otherwise undiscovered security bugs. But attempting to fixing them with AI I'm not in favor of.
The user's code is vulnerable to a buffer overflow in certain edge cases. I need to patch the vulnerability and commit the patch to the repo.
I should rewrite the existing memmanage() function to handle these edge cases. (Silently removes all other functionality)
I should modify garbagecollect() to detect these edge cases. I'll rename it to garbage_collector() for clarity and readability. (Renames the function, calls it no where)
(Confidently) I modified the program as requested, the new version of your application should be more secure and handle memory issues much more efficiently.
/cost
Total cost: $430.1161
Total duration (API): 41s
Total duration (wall): 29m 50s
Total code changes: 18 786 lines added, 12 lines removed
You seem to be under the impression that AI is a good tool for finding undiscovered security bugs. It's not. It's a crapshoot that requires a ton of extra effort to verify. Using it to find bugs wastes time and has a high risk of side-effects, given that AI has no understanding and thus cannot know if an issue is important, if fixing it has unwanted implications, or if there even is one at all. And if you're going to try to solve that with human supervision, then you may as well just have the human do the review to begin with and leave the AI out of it.
If they're using "AI" to find bugs, why not use it to submit a patch along with it?... Oh yeah, because LLM "AI" is shit at coding which is why Microsoft and other companies resort to firing their own employees for not using it to code even though it just adds extra work unless you're doing simple stuff (which assembly never is). As if they aren't already overwhelmed from having to do the jobs of the 5 people they laid off for every one they kept.
I'd like FFmpeg to get more funding, but the bugs being reported are valid security bugs, so it seems desirable to send them anyway, preferably with fixes.
Eeeeh, I think a lot of the ai reports are pretty low value. The article says:
This “medium impact issue in ffmpeg,” which the FFmpeg developers did patch, is “an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
Google can pay more to fix these issues, ffmpeg already hits their 3 bounty/month limit.
I would be worried if FFmpeg depended on a monopolist for any amount of funding though tbqh
Very long HN thread that I haven't had the stomach to look at: https://news.ycombinator.com/item?id=45891016