- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
You must log in or # to comment.
The fucking gas lighting in this response
Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them
“We ran AI that may or may not have found a legitimate issue, and you’re not looking into it for us fast enough. That’s going to drive away new volunteers that we need”
They do sponsor a lot of open source projects though. ffmpeg should be one of them.
If ffmpeg was not an open source project, and somebody submitted a super obscure ai surfaced bug
The bug would be fixed exactly never
I fail to see how funding them would change that
Sure, if we forget about specifics for a bit, in general terms it does sound reasonable. And they should be sponsoring ffmpeg anyway as they are using it.
However some bug reports should just not happen in the first place
Google is trying to kill Android and take control of it, I wonder if such acts aren’t part of the same agenda.
?
I must know as much as I thought.
I thought they owned Android. Is that not true?
https://www.androidauthority.com/google-android-development-aosp-3538503/
https://www.androidauthority.com/google-sideloading-android-developer-verification-rules-3602811/ps: Have no doubt, every claim Google makes about restricting stuff for your own good is just them lying out of their asses.
So I guess more free open source projects won’t be able to be maintained by overworked volunteers, and they’ll get “rescued” by trillion-dollar corporations that will close-source everything, backdoor the shit out of it, and decide what you can and cannot have.
They do, but Android is open source, and now Google is trying to close it down.
How? Are they retroactively changing the license?
They’ve been moving more and more out of AOSP into their Play Services for a good while now. However I suspect OP was referring to their announcement that they’ll require developer verification, and apps to be signed with a certificate they issue, for any app install on a verified device (read any device sold with the Play Store). Long story short, no more building and distributing APKs without Google knowing who you are and that your app exists.
https://android-developers.googleblog.com/2025/08/elevating-android-security.html
Not all at once, but I feel like since the beginning more and more stuff has moved to closed source components like the Google services framework. Even the launcher used to be open source and that’s not maintained now in favor of closed OEM (including Pixel) ones.
I don’t think so but it seems you two are mixing Android and AOSP.
Android is owned by Google. AOSP is not.
I might be wrong on this but it seems to me they’re replacing in Android, the OS shipped with many smartphones, parts that have open licenses, i.e. parts from AOSP. Like they are replacing open parts of code with privative parts of code.
They dont acturally need to change the liscense at all, despite what most people think (and would logically make sense) AOSP is acturally downstream from Android. So basically as we’re seeing right now if Android doesn’t want to release the source code for something they just need to not push it to AOSP. It has been over two months already and Android 16 QPR1 still hadn’t been upstreamed to AOSP nor are they legally required to (they are legally required to publish kernel sources which they have failed to do).
FFmpeg has every right to ask this. Google can’t expect to extract free labour from the community.
Isn’t that the definition of open source seen from commercial entities
slay
If I had an open source program that is being used by fuckers like Google, who can afford to pay but don’t, and then come in and demand shit. I’d just ignore them and pretend they don’t exist and continue with my life. Let them bark until they’re blue in the face. But first I’d put this as the first line in the README.md “if you’re a big corporation and need help, come with money. Otherwise, please don’t bother me”.
Not only that they have the money, but Google is actively working to lock down their streaming platform (YouTube) against third-parties and they have basically yanked the rug for their OS platform, while adding requirements for developers to sideload.
Their entire direction is antagonistic and in opposition to the core concepts of FOSS
Yup. Fuck google.
The main issue there is that project zero, where if you ignore what Google has reported, they will just go ahead and disclose the issue.
I’m going to be the asshole here. And? If I’m not getting paid, then why should I care? It’s a hobby project that I made for fun in my free time. Unless this is my living then, I’d understand what you’re saying.
Greedy tech should pay. No question about it.
They should either get GPL’d or forced to pay.
All these company execs know is exploitation, and it’s hilarious to see how immature they act when they don’t get their way.
You think this even shows up on the radar of company execs?
I imagine they’d be aware of it if YouTube just suddenly stopped working
Man, I loved that line about how they could shut down three Amazon projects with a single email. That small bit of leverage against these parasites is all they have.
They couldn’t just make YouTube suddenly stop working.
ffmpeg is published under the LGPL license, meaning that all of the published versions are free for anyone to use in anything, as long as they don’t modify the ffmpeg library.
The only leverage they have over YouTube is that they could stop allowing YouTube to use future versions. That could create headaches for YouTube if it turns out there’s major security issues, since then YouTube will need to either solve them with a wrapper / sandbox around the library, or write their own library, but any existing versions in use will always be usable by YouTube.
- Create major security issues on purpose
- Release and wait for them to update
- Switch licenses and release fixes
- Publish vulnerabilities far and wide
Surely Google has the resources to fix the bugs themselves. Most FOSS projects probably appreciate code contributions more than money.
there are some teams in companies like this where management doesn’t want to account for upstreaming and some engineers are happy to open a bug report, move the ticket to blocked, and move on to something else
this would probably just lead to the corporation taking more and more of a role until they take over development of the FOSS projects they care about, which is a particular nightmare I would prefer to avoid
was upset enough when Microsoft bought Github
I can’t say I’ve ever sent a security related bug report without at least some work done trying to understand how to fix it. Surely the caliber of people working for Project Zero can do that too, otherwise hi Google I’ll take one job please.
I mean, bugs are bugs. It’s not like Google makes them they are there. It’s up to ffmpeg to decide if they shoul care or not
But in general I think companies who rely on opensource need to contribute more.
I mean, bugs are bugs. It’s not like Google makes them they are there.
No but there are big bugs and small bugs and it sound like Google’s AI bug finder is flooding them with small bugs that don’t effect the security or end product so much. But some unpaid volunteer from FFMpeg has to check them all out regardless. And Google getting pissy about it doesn’t help.
The bug in this case was a vulnerability in 1995’s rebel assault 2 video game cinematic, specifically the first 20 frames. So only people with that game, watching the specific cinematic, who got the special hobby build of ffmpeg, had this vulnerability.
Yes, but still a bug. Ffmpeg could just have said "OK. We not gonna patch that "
Google also appended a 90 day disclosure policy to their reports. FFmpeg can always say , we’re not going to fix that, but that would mean a security issue would be published, and letting nefarious actors act on it. Even if it would only affect 3 users, the idea that the follow up information of, “don’t use FFmpeg for this use case or you’ll be hacked,” would be out there.
The criticism arrises from the fact Google, the multinational mega-corp, is sending these reports with the 90 day disclosure policy to a tiny unpaid team. How about the company with something like $100,000,000,000/year in net income offer a patch or two?
Sounds like a prioritization issue. They could configure the git bots to automatically flags all these as “AI-reported” and filter them out from their TODO, considering them low priority by default, unless/until someone starts commenting on the ticket and bringing it up to their attention / legitimizing it.
EDIT: ok, I just read about the 90-days policy… I feel then the problem is not the reporting, but the further actions Google plans based on an automated tool that seems to be inadequate to judge the severity of each issue.
deleted by creator
They should just call this an incomplete AI output. If the AI is so good, it should create the fix, add tests, and ensure nothing else breaks.
Then file the bug back to them
“The position of the FFmpeg X account is that somehow disclosing vulnerabilities is a bad thing. Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them.”
Yeah slave, stop complaining get your ass back to work because I’m about to dump more obligatory work on your lap that you will fix for no pay, I don’t care you have a family to feed!
Your complaining about not having any sponsor for the free work that we sell for millions of dollars may cause that you don’t get any sponsors!
The entitlement and mental gymnastics here at display is insane
Google has made billions off of open source software they got and used for free. Sure, they gave back a few fractions of a penny for each million they made with it, they gave back with adding some softwares here and there when it strategically suited them, but the simple fact is that without open source software, Google wouldn’t exist today, definitely not the way they do now.
Hell, the internet wouldn’t exist as it does today, it would be a tiny fraction of what it is today without open source software. Open source software is amazing yet most people in the world don’t even know that it exists, that it’s a concept, and that people are doing this
Yet there are countless companies profiting majorly from the work of others without giving back a dime. There are multinationals that profit in the billions from open source software without giving back properly or at all.
We need an updated GPL amendment or something that requires companies to start giving back productively in some form or another once they start majorly profiting from the work of open source projects.
“This library comes with ABSOLUTELY NO WARRANTY”
- “But the 1995 rebel assault build tho.”
This would be the simplest solution. Yes, feel free to find and report bugs - but we will fix them at out own pace and availability. The vulnerabilities will be in the open and exploitable until we get to fixing them. If you need it faster, you can contribute money, people or patches.
Has anyone read the article? I barely understand what the fuss is actually about, the text is meandering and repeats semi-relevant details (specifically the part about libxml2).
In a nutshell:
Google is spending a shitload of money to find bugs in FOSS projects, but then refuses to spend the fraction more it would cost to contribute an actual fix, rather than just a bug report.
Basically, they are willing a spend a ton on finding a bunch of work for FOSS developers to do, but not on actually getting any of it done.
Not just that the bug they reported only affects some obscure LucasArt codec which isn’t even included in the build by default. Plus I’m pretty sure Google heavily uses ffmpeg for YouTube.
Plus google doesn’t really care if the obscure LucasArt codec is actually fixed, they’re raising the bugs publicly to sell their AI. This is marketing, not security. The more bugs it finds the better, since sales doesn’t care about the quality of the bugs found.
I read the article, and the title is a pretty decent summary. AI is being used to find a never-ending supply of bugs (a number of which are trivial at best). The issue that not only are the bugs being found by unlimited resourced AI, those same processes are revealing them to the public after a time. This is placing undue burden on unpaid volunteers. So “FFmpeg to Google: Fund Us or Stop Sending Bugs”.
and some are, apparently, obscure af:
“an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
Great game
Great name
To add to the other replies: This is what AI is for. Not to replace labor, but to enhance the ruling class’ ability to exploit labor.
As a convenient side effect: If you use AI to spam people with bug reports, you’re basically DDoSing them… unless they then decide to use AI to help triage the avalanche. And wouldn’t you know it, Google just happens to sell AI to help you solve this problem they made for you!
“Nice FOSS project you got there. It’d be a shame if something happened to it.”
And also also: If FOSS in general turns into a ghost town… where are you gonna turn to get that boilerplate code you need to do a common task? That’s right, AI baby! All roads lead to boiling the Great Lakes so Nvidia can pay itself back.
This reminds me of that time there was a critical vulnerability in some core open source library that basically everyone depends on, and there was no one around to fix it or something. I want to say it was 2015? I can’t remember the name of the software package.
OpenSSL heart bleed, for sure
Great example of corporations just taking from open source and not giving back a dime because fuck you, give us your work!
I’d love to see a GPL version where if you’re a company, and you make more than x amount of profit with open source projects, that you gotta fund it with y amount, depending on your profit or something
ALL big tech companies have gotten ginormous thanks to open source software, and though some have given back something, and some have done some funding, it’s always been such few pennies on so many dollars that it might as well have been slavery. Add to that that many times what was given back was only given back because it was a good thing, strategically, for them.
Tech companies are abusive as fuck which made them so insanely big, powerful and rich and this nonsense has to stop
Open source is awesome and ALL software should be open source as far as I’m concerned, but the abuse from tech corporations has to stop
OpenSSL?
I think that might have been it.
xz?
Someone else said OpenSSL. I think that’s what it was.
