They should just call this an incomplete AI output. If the AI is so good, it should create the fix, add tests, and ensure nothing else breaks.
Then file the bug back to them
Yas Queen
Could be worse, at least Google isn’t opening tickets as high priority asking basic questions on how to use ffmpeg.
Unlike the Microsoft teams devs: https://trac.ffmpeg.org/ticket/10341 Really funny to go “this is a high priority ticket” as if they’ve paid to use ffmpeg in teams.
The last reply is great.
That is next-level snark and I’m about it
I would have replied with ‘high priority for whom?’ or ‘high priority enough to pay?’
I looked up this Zied Aouina lad and his posts on LinkedIn are…😨
Jesus christ lmao
I presume that’s not actually Elon Musk in the replies…
That is actually Fellon Flask!
It is not
I haven’t read it yet so maybe this opinion may be slightly off topic but I think there is nothing wrong Google Sending bug reports. It only gets fucked when they actually request features
Google spent money to find bugs but won’t spend money to fix them. That simply makes the devs’ lives worse. It’s an asshole move.
I agree… I mean they are not forced to fix the issues, if the issue is obscure and not many people are affected, then there’s no reason why they can’t just mark it as “patches welcome” and leave it there. I feel this is a problem in the policy the project might have for prioritization, not really a problem in QA / issue report.
For context:
The latest episode was sparked after a Google AI agent found an especially obscure bug in FFmpeg. How obscure? This “medium impact issue in ffmpeg,” which the FFmpeg developers did patch, is “an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
To me, the problem shouldn’t be the reporting, but categorizing it as “medium impact”. Also:
the former maintainer of libxml2 […] recently resigned from maintaining libxml2 because he had to “spend several hours each week dealing with security issues reported by third parties. Most of these issues aren’t critical, but it’s still a lot of work.
Would it be truely better if the issues wouldn’t be reported? what’s the difference between the issue not being reported and the issue not being fixed because it’s not seen as a priority?
what’s the difference between the issue not being reported and the issue not being fixed because it’s not seen as a priority
Triaging and investigation take time. Plus having a bunch of open security issues even if they’re not critical destroys public confidence in the software
Sure, but if it wasn’t triaged why consider it “medium impact”? I feel when tight on resources, it’s best to default to “low priority” for all issues whose effect (ie. to the end-user, or to the software depending on it) isn’t clearly scoped and explained by the reporter. If the reporters (or those affected) have not done the job to make it easy to quickly see why it’s important to have this fixed then it’s probably not so important for them to have it fixed. Some projects even have bots that automatically close issues whenever there has not been activity for a certain time (though I’d prefer labeling it / categorizing as “low engagement” or something so it can be filtered out when swamped, instead of simply closing it).
About “public confidence”, I feel that this would rather be “misplaced confidence” if it’s based on a number that is “massaged” to hide issues. Also this is an open source project we are talking about, there isn’t an investment fund behind it or a need for people to have absolute loyalty or blind trust. The code is objectively there, the trust should never be blind. If there wasn’t a long list of reports I’d be more suspicious of a project as popular, frequently updated & ubiquitous as ffmpeg. Specially if they are (allegedly) not triaged. Anyone who decides to choose ffmpeg based on the number of issues open without actually investigating from their end how relevant that number actually is… well… they can go look for a different software.
That was an incredibly interesting read, and I learned a lot! Thank you for posting it!
It’s genuinely infuriating that so much labor is simply stolen, in so many different ways, from people with a passion for what they do, and turned into profit for some mega corp, with the vast majority funneled to a few people completely unrelated to
theany work.Anyone who doesn’t work for themselves is getting their labor stolen, and that includes me. The name for this type of systemic crime is “capitalism.”
Not if you are being compensated for your labour. The actual crime that describes stolen labour is “slavery”
I think you could make an argument that being compensated for your labour, but way under the value your labour produces and also under the constant threat of homelessness and starvation if you don’t do it is still an unethical system.
Nothing was stolen. The authors choose to give it away, for free, with no strings. That’s not theft.
No one forced them to choose that license, and no one forced anyone to contribute to that project.
with no strings.
I wouldn’t call the L/GPL “no strings”.
True. I should have been more specific. No strings in that there should be no expectation of receiving anything in return.
This reminds me of that time there was a critical vulnerability in some core open source library that basically everyone depends on, and there was no one around to fix it or something. I want to say it was 2015? I can’t remember the name of the software package.
OpenSSL?
I think that might have been it.
xz?
Someone else said OpenSSL. I think that’s what it was.
OpenSSL heart bleed, for sure
Great example of corporations just taking from open source and not giving back a dime because fuck you, give us your work!
I’d love to see a GPL version where if you’re a company, and you make more than x amount of profit with open source projects, that you gotta fund it with y amount, depending on your profit or something
ALL big tech companies have gotten ginormous thanks to open source software, and though some have given back something, and some have done some funding, it’s always been such few pennies on so many dollars that it might as well have been slavery. Add to that that many times what was given back was only given back because it was a good thing, strategically, for them.
Tech companies are abusive as fuck which made them so insanely big, powerful and rich and this nonsense has to stop
Open source is awesome and ALL software should be open source as far as I’m concerned, but the abuse from tech corporations has to stop
Surely Google has the resources to fix the bugs themselves. Most FOSS projects probably appreciate code contributions more than money.
this would probably just lead to the corporation taking more and more of a role until thet take over development of the FOSS projects they care about, which is a particular nightmare I would prefer to avoid
was upset enough when Microsoft bought Github
What are you on about? It’s Google, they’re not gonna just close-source android more and more with every release or something…
Oh…
I can’t say I’ve ever sent a security related bug report without at least some work done trying to understand how to fix it. Surely the caliber of people working for Project Zero can do that too, otherwise hi Google I’ll take one job please.
Hell, I don’t submit help requests without a confident understanding of what’s wrong.
Hi Amazon. My cart, ID xyz123, failed to check out. Your browser javascript seems to be throwing an error on line 173 of “null is not an object”. I think this is because the variable is overwritten in line 124, but only when the number of items AND the total cart price are prime.
Generally, by the time I have my full support request, I have either solved my problem or solved theirs.
there are some teams in companies like this where management doesn’t want to account for upstreaming and some engineers are happy to open a bug report, move the ticket to blocked, and move on to something else
this is the correct attitude against these bastards.
FFmpeg has every right to ask this. Google can’t expect to extract free labour from the community.
Isn’t that the definition of open source seen from commercial entities
Greedy tech should pay. No question about it.
They should either get GPL’d or forced to pay.
The fucking gas lighting in this response
Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them
“We ran AI that may or may not have found a legitimate issue, and you’re not looking into it for us fast enough. That’s going to drive away new volunteers that we need”
They do sponsor a lot of open source projects though. ffmpeg should be one of them.
If ffmpeg was not an open source project, and somebody submitted a super obscure ai surfaced bug
The bug would be fixed exactly never
I fail to see how funding them would change that
Sure, if we forget about specifics for a bit, in general terms it does sound reasonable. And they should be sponsoring ffmpeg anyway as they are using it.
However some bug reports should just not happen in the first place
If Google said, look we know we send a lot of bug reports, here’s 50MM a year, go hire a team of dedicated developers to deal with our nonsense, we don’t have the expertise in house to train them on this codebase. I doubt anyone would be complaining.
Nothing wrong with fixing bugs even if they are obscure if you have the time and resources.
It’s common in big tech companies to have a small internal team that has the full-time job of contributing to the FOSS software they use. That is how this should have been handled. Google wants a new feature/bug squished? You’ve got your team that can make the change, that’s literally the whole point of FOSS.
I think it’s about driving away financial sponsors, not volunteer developers. So the last sentence is “That’s going to drive away people who want to give you money and make OUR product worse and our lives harder.”
“The position of the FFmpeg X account is that somehow disclosing vulnerabilities is a bad thing. Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them.”
Yeah slave, stop complaining get your ass back to work because I’m about to dump more obligatory work on your lap that you will fix for no pay, I don’t care you have a family to feed!
Your complaining about not having any sponsor for the free work that we sell for millions of dollars may cause that you don’t get any sponsors!
The entitlement and mental gymnastics here at display is insane
Google has made billions off of open source software they got and used for free. Sure, they gave back a few fractions of a penny for each million they made with it, they gave back with adding some softwares here and there when it strategically suited them, but the simple fact is that without open source software, Google wouldn’t exist today, definitely not the way they do now.
Hell, the internet wouldn’t exist as it does today, it would be a tiny fraction of what it is today without open source software. Open source software is amazing yet most people in the world don’t even know that it exists, that it’s a concept, and that people are doing this
Yet there are countless companies profiting majorly from the work of others without giving back a dime. There are multinationals that profit in the billions from open source software without giving back properly or at all.
We need an updated GPL amendment or something that requires companies to start giving back productively in some form or another once they start majorly profiting from the work of open source projects.
Has anyone read the article? I barely understand what the fuss is actually about, the text is meandering and repeats semi-relevant details (specifically the part about libxml2).
I read the article, and the title is a pretty decent summary. AI is being used to find a never-ending supply of bugs (a number of which are trivial at best). The issue that not only are the bugs being found by unlimited resourced AI, those same processes are revealing them to the public after a time. This is placing undue burden on unpaid volunteers. So “FFmpeg to Google: Fund Us or Stop Sending Bugs”.
and some are, apparently, obscure af:
“an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
Great game
Great name
In a nutshell:
Google is spending a shitload of money to find bugs in FOSS projects, but then refuses to spend the fraction more it would cost to contribute an actual fix, rather than just a bug report.
Basically, they are willing a spend a ton on finding a bunch of work for FOSS developers to do, but not on actually getting any of it done.
Not just that the bug they reported only affects some obscure LucasArt codec which isn’t even included in the build by default. Plus I’m pretty sure Google heavily uses ffmpeg for YouTube.
Plus google doesn’t really care if the obscure LucasArt codec is actually fixed, they’re raising the bugs publicly to sell their AI. This is marketing, not security. The more bugs it finds the better, since sales doesn’t care about the quality of the bugs found.
To add to the other replies: This is what AI is for. Not to replace labor, but to enhance the ruling class’ ability to exploit labor.
As a convenient side effect: If you use AI to spam people with bug reports, you’re basically DDoSing them… unless they then decide to use AI to help triage the avalanche. And wouldn’t you know it, Google just happens to sell AI to help you solve this problem they made for you!
“Nice FOSS project you got there. It’d be a shame if something happened to it.”
“This library comes with ABSOLUTELY NO WARRANTY”
- “But the 1995 rebel assault build tho.”
This would be the simplest solution. Yes, feel free to find and report bugs - but we will fix them at out own pace and availability. The vulnerabilities will be in the open and exploitable until we get to fixing them. If you need it faster, you can contribute money, people or patches.
They’re profiting from FOSS, nobody is trying to prevent them from doing so, but they refuse to spend small amounts of money helping out part-time coders … and you know why. That money is going to the mid-level managers themselves.
Do the right thing and help your company in the medium run, or pocket chump change? Yeah, easy answer.
