- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
Surely Google has the resources to fix the bugs themselves. Most FOSS projects probably appreciate code contributions more than money.
there are some teams in companies like this where management doesn’t want to account for upstreaming and some engineers are happy to open a bug report, move the ticket to blocked, and move on to something else
I can’t say I’ve ever sent a security related bug report without at least some work done trying to understand how to fix it. Surely the caliber of people working for Project Zero can do that too, otherwise hi Google I’ll take one job please.
Hell, I don’t submit help requests without a confident understanding of what’s wrong.
Hi Amazon. My cart, ID xyz123, failed to check out. Your browser javascript seems to be throwing an error on line 173 of “null is not an object”. I think this is because the variable is overwritten in line 124, but only when the number of items AND the total cart price are prime.
Generally, by the time I have my full support request, I have either solved my problem or solved theirs.
this would probably just lead to the corporation taking more and more of a role until thet take over development of the FOSS projects they care about, which is a particular nightmare I would prefer to avoid
was upset enough when Microsoft bought Github
I love you ffmpeg
Ffmpeg has been such cool software to learn. Simple filter chains can do incredible things
Please, go on!
Well for instance you can use it to apply tranparencys or other effects using the geq filter. It applies a formula to every pixel in the input and can adjust alpha, rgb values, and gamma. You can also use conditionals in your formula and have access to the current pixels location and value, so you can apply your transforms only to specific regions if you want, or do an adjustment keyed only to a specific color.
You’re talking about green screen right? :D
Have you seen this? Green screen on crack.
That and more really. You could use it to do a green screen effect, but you can also use it to adjust color balance, brightness or do weirder things like swapping values between colors. It gets really crazy when are working with full video because the time of the current frame is also available to be incorporated, so you can even do animated effects.
Another powerful filter is the convolve filter. That allows you to apply matrix transformations, which can for example be used to apply a homography matrix and adjust a videos perspective.
Its insane just how important it is and the vast majority of the world doesn’t even know it exists. Truly unsung heroes (everyone who works on it).
I’m surprised nobody posted the xkcd comic. I think Randall had ImageMagick in mind (he names it in the alt text) but it applies to ffmpeg as well.
I’ll bite!
I always used to think about curl when I see that comic. Maybe less important in recent years but still a corner stone.
Curl is less important in the cloudverse?
Even if the license allow to use it commercially I don’t think this is allow to abuse it when the only brake restricting you from donating is capitalism. These companies worth more than 3T, and they are thinking long to donate to their fondations…
But what will our llms do?!
They are welcome to fix the bugs themselves and make it public. Valve have done a fair bit of that with making windows games run on Linux IIRC.
They could even use their LLMs to fix the bugs, and everyone else can reject the shitty bugs it creates.
Exactly my thoughts, give the devs access to your wonderful LLM’s and a decent server to help fix the issue. Google kinda behaving like an entitled first day Stack user.
Next weeks headline
FFmpeg to Google: Please stop submitting these shitty LLM created pull requests
Could be worse, at least Google isn’t opening tickets as high priority asking basic questions on how to use ffmpeg.
Unlike the Microsoft teams devs: https://trac.ffmpeg.org/ticket/10341 Really funny to go “this is a high priority ticket” as if they’ve paid to use ffmpeg in teams.
Jesus christ lmao
The last reply is great.
That is next-level snark and I’m about it
I presume that’s not actually Elon Musk in the replies…
It is not
That is actually Fellon Flask!
FFmpeg has every right to ask this. Google can’t expect to extract free labour from the community.
Isn’t that the definition of open source seen from commercial entities
Has anyone read the article? I barely understand what the fuss is actually about, the text is meandering and repeats semi-relevant details (specifically the part about libxml2).
To add to the other replies: This is what AI is for. Not to replace labor, but to enhance the ruling class’ ability to exploit labor.
As a convenient side effect: If you use AI to spam people with bug reports, you’re basically DDoSing them… unless they then decide to use AI to help triage the avalanche. And wouldn’t you know it, Google just happens to sell AI to help you solve this problem they made for you!
“Nice FOSS project you got there. It’d be a shame if something happened to it.”
And also also: If FOSS in general turns into a ghost town… where are you gonna turn to get that boilerplate code you need to do a common task? That’s right, AI baby! All roads lead to boiling the Great Lakes so Nvidia can pay itself back.
I read the article, and the title is a pretty decent summary. AI is being used to find a never-ending supply of bugs (a number of which are trivial at best). The issue that not only are the bugs being found by unlimited resourced AI, those same processes are revealing them to the public after a time. This is placing undue burden on unpaid volunteers. So “FFmpeg to Google: Fund Us or Stop Sending Bugs”.
and some are, apparently, obscure af:
“an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
Great game
Great name
In a nutshell:
Google is spending a shitload of money to find bugs in FOSS projects, but then refuses to spend the fraction more it would cost to contribute an actual fix, rather than just a bug report.
Basically, they are willing a spend a ton on finding a bunch of work for FOSS developers to do, but not on actually getting any of it done.
Not just that the bug they reported only affects some obscure LucasArt codec which isn’t even included in the build by default. Plus I’m pretty sure Google heavily uses ffmpeg for YouTube.
Plus google doesn’t really care if the obscure LucasArt codec is actually fixed, they’re raising the bugs publicly to sell their AI. This is marketing, not security. The more bugs it finds the better, since sales doesn’t care about the quality of the bugs found.
The fucking gas lighting in this response
Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them
“We ran AI that may or may not have found a legitimate issue, and you’re not looking into it for us fast enough. That’s going to drive away new volunteers that we need”
I think it’s about driving away financial sponsors, not volunteer developers. So the last sentence is “That’s going to drive away people who want to give you money and make OUR product worse and our lives harder.”
slay
this is the correct attitude against these bastards.
If I had an open source program that is being used by fuckers like Google, who can afford to pay but don’t, and then come in and demand shit. I’d just ignore them and pretend they don’t exist and continue with my life. Let them bark until they’re blue in the face. But first I’d put this as the first line in the README.md “if you’re a big corporation and need help, come with money. Otherwise, please don’t bother me”.
The problem is that some small but non-zero fraction of these bugs may be exploitable security flaws with the software, and these bug reports are on the open internet. So if they just ignore them all, they risk overlooking a genuine vulnerability that a bad actor can then more easily find and use. Then the FOSS project gets the blame, because the bug report was there, they should have fixed it!
I agree that this is a problem.
“Responsible disclosure” is a thing where an organization is given time to fix their code and deploy before the vulnerability is made public. Failing to fix the issue in a reasonable time, especially a timeline that your org has publicly agreed to, will cause reputational harm and is thus an incentive to write good code that is free of vulns and to remediate ones when they are identified.
This breaks down when the “organization” in question is just a few people with some free time who made something so fundamentally awesome that the world depends on it and have never been compensated for their incredible contributions to everyone.
“Responsible disclosure” in this case needs a bit of a redesign when the org is volunteer work instead of a company making profit. There’s no real reputational harm to ffmpeg, since users don’t necessarily know they use it, but the broader community recognizes the risk, and the maintainers feel obligated to fix issues. Additionally, a publicly disclosed vulnerability puts tons of innocent users at risk.
I don’t dislike AI-based code analysis. It can theoretically prevent zero-days when someone malicious else finds an issue first, but running AI tools against that xkcd-tiny-block and expecting that the maintainers have the ability to fit into a billion-dollar-company’s timeline is unreasonable. Google et al. should keep risks or vulnerabilities private when disclosing them to FOSS maintainers instead of holding them to the same standard as a corporation by posting issues to a git repo.
A RCE or similar critical issue in ffmpeg would be a real issue with widespread impact, given how broadly it is used. That suggests that it should be broadly supported. The social contract with LGPL, GPL, and FOSS in general is that code is released ‘as is, with no warranty’. Want to fix a problem, go for it! Only calling out problem just makes you a dick: Google, Amazon, Microsoft, 100’s of others.
As many have already stated: If a grossly profitable business depends on a “tiny” piece of code they aren’t paying for, they have two options: pay for the code (fund maintenance) or make their own. I’d also support a few headlines like “New Google Chrome vulnerability will let hackers steal you children and house!” or “watching this youtube video will set your computer on fire!”
Not only that they have the money, but Google is actively working to lock down their streaming platform (YouTube) against third-parties and they have basically yanked the rug for their OS platform, while adding requirements for developers to sideload.
Their entire direction is antagonistic and in opposition to the core concepts of FOSS
The main issue there is that project zero, where if you ignore what Google has reported, they will just go ahead and disclose the issue.
Greedy tech should pay. No question about it.
They should either get GPL’d or forced to pay.
How ironic. Recently, Google stepped up their game of “let’s kill open source Android”, and when THEY need something done, unpaid open source laborers are supposed to throw away everything and jump on the issue. What’s wrong, Google? The source code for Android 16 QPR1 was supposed to come out “in a few weeks”. They said that on September 10th. Maybe FFmpeg should fix these issues reported by Google “in a few weeks” too?
They are like viruses that kill their host. Mindless greed with no forecast or hindsight.
Google is trying to kill Android and take control of it, I wonder if such acts aren’t part of the same agenda.
?
I must know as much as I thought.
I thought they owned Android. Is that not true?
https://www.androidauthority.com/google-android-development-aosp-3538503/
https://www.androidauthority.com/google-sideloading-android-developer-verification-rules-3602811/ps: Have no doubt, every claim Google makes about restricting stuff for your own good is just them lying out of their asses.
So I guess more free open source projects won’t be able to be maintained by overworked volunteers, and they’ll get “rescued” by trillion-dollar corporations that will close-source everything, backdoor the shit out of it, and decide what you can and cannot have.
They do, but Android is open source, and now Google is trying to close it down.
How? Are they retroactively changing the license?
I don’t think so but it seems you two are mixing Android and AOSP.
Android is owned by Google. AOSP is not.
I might be wrong on this but it seems to me they’re replacing in Android, the OS shipped with many smartphones, parts that have open licenses, i.e. parts from AOSP. Like they are replacing open parts of code with privative parts of code.
Not all at once, but I feel like since the beginning more and more stuff has moved to closed source components like the Google services framework. Even the launcher used to be open source and that’s not maintained now in favor of closed OEM (including Pixel) ones.
slowing down AOSP releases (why Graphene is looking into other phone options). Google is also trying to enforce developer signatures on apps, which would give google the power to kill small developers on 3rd party app stores and ruin sideloading, as you would have to go through google to be verified to make apks.
these are a few example that has popped up in the past year.
They’ve been moving more and more out of AOSP into their Play Services for a good while now. However I suspect OP was referring to their announcement that they’ll require developer verification, and apps to be signed with a certificate they issue, for any app install on a verified device (read any device sold with the Play Store). Long story short, no more building and distributing APKs without Google knowing who you are and that your app exists.
https://android-developers.googleblog.com/2025/08/elevating-android-security.html
There is also the fact that Google used to have a public git with the beta source code of upcoming Android releases, but have recently stopped publishing that source code
https://www.androidauthority.com/google-android-development-aosp-3538503/
Nope. Android phones without google are a thing. Its the default when you install the OS yourself, actually
“Allow me to interject and explain the four liberties…” (Or, goto fsfe.org/freesoftware )
If I understand correctly the biggest issue for FFMPEG and other projects is not only the Google and Microsoft that use them without giving back, but their chosen License. They gave permission to corporations to do this. One of the potential ways to fix this situation, is to change the license. For example from LGPL to AGPL. And then they can sell the legalese package of allowing them to break their license. The biggest difficulty is that, as a project, they’d need consent from every past and future contributors. So, yeah. I get it. This is a mess.
It would be way more easier if more corporations donated to open source projects… There’s too much labour that’s invisible
