I mean, bugs are bugs. It’s not like Google makes them they are there. It’s up to ffmpeg to decide if they shoul care or not
But in general I think companies who rely on opensource need to contribute more.
“Allow me to interject and explain the four liberties…” (Or, goto fsfe.org/freesoftware )
If I understand correctly the biggest issue for FFMPEG and other projects is not only the Google and Microsoft that use them without giving back, but their chosen License. They gave permission to corporations to do this. One of the potential ways to fix this situation, is to change the license. For example from LGPL to AGPL. And then they can sell the legalese package of allowing them to break their license. The biggest difficulty is that, as a project, they’d need consent from every past and future contributors. So, yeah. I get it. This is a mess.
It would be way more easier if more corporations donated to open source projects… There’s too much labour that’s invisible
All these company execs know is exploitation, and it’s hilarious to see how immature they act when they don’t get their way.
You think this even shows up on the radar of company execs?
I imagine they’d be aware of it if YouTube just suddenly stopped working
How ironic. Recently, Google stepped up their game of “let’s kill open source Android”, and when THEY need something done, unpaid open source laborers are supposed to throw away everything and jump on the issue. What’s wrong, Google? The source code for Android 16 QPR1 was supposed to come out “in a few weeks”. They said that on September 10th. Maybe FFmpeg should fix these issues reported by Google “in a few weeks” too?
They are like viruses that kill their host. Mindless greed with no forecast or hindsight.
FFmpeg has every right to ask this. Google can’t expect to extract free labour from the community.
Isn’t that the definition of open source seen from commercial entities
Greedy tech should pay. No question about it.
They should either get GPL’d or forced to pay.
Even if the license allow to use it commercially I don’t think this is allow to abuse it when the only brake restricting you from donating is capitalism. These companies worth more than 3T, and they are thinking long to donate to their fondations…
The fucking gas lighting in this response
Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them
“We ran AI that may or may not have found a legitimate issue, and you’re not looking into it for us fast enough. That’s going to drive away new volunteers that we need”
I think it’s about driving away financial sponsors, not volunteer developers. So the last sentence is “That’s going to drive away people who want to give you money and make OUR product worse and our lives harder.”
Could be worse, at least Google isn’t opening tickets as high priority asking basic questions on how to use ffmpeg.
Unlike the Microsoft teams devs: https://trac.ffmpeg.org/ticket/10341 Really funny to go “this is a high priority ticket” as if they’ve paid to use ffmpeg in teams.
The last reply is great.
That is next-level snark and I’m about it
I presume that’s not actually Elon Musk in the replies…
That is actually Fellon Flask!
It is not
Jesus christ lmao
That was an incredibly interesting read, and I learned a lot! Thank you for posting it!
It’s genuinely infuriating that so much labor is simply stolen, in so many different ways, from people with a passion for what they do, and turned into profit for some mega corp, with the vast majority funneled to a few people completely unrelated to
theany work.Anyone who doesn’t work for themselves is getting their labor stolen, and that includes me. The name for this type of systemic crime is “capitalism.”
Not if you are being compensated for your labour. The actual crime that describes stolen labour is “slavery”
I think you could make an argument that being compensated for your labour, but way under the value your labour produces and also under the constant threat of homelessness and starvation if you don’t do it is still an unethical system.
If I had an open source program that is being used by fuckers like Google, who can afford to pay but don’t, and then come in and demand shit. I’d just ignore them and pretend they don’t exist and continue with my life. Let them bark until they’re blue in the face. But first I’d put this as the first line in the README.md “if you’re a big corporation and need help, come with money. Otherwise, please don’t bother me”.
Not only that they have the money, but Google is actively working to lock down their streaming platform (YouTube) against third-parties and they have basically yanked the rug for their OS platform, while adding requirements for developers to sideload.
Their entire direction is antagonistic and in opposition to the core concepts of FOSS
The problem is that some small but non-zero fraction of these bugs may be exploitable security flaws with the software, and these bug reports are on the open internet. So if they just ignore them all, they risk overlooking a genuine vulnerability that a bad actor can then more easily find and use. Then the FOSS project gets the blame, because the bug report was there, they should have fixed it!
I agree that this is a problem.
“Responsible disclosure” is a thing where an organization is given time to fix their code and deploy before the vulnerability is made public. Failing to fix the issue in a reasonable time, especially a timeline that your org has publicly agreed to, will cause reputational harm and is thus an incentive to write good code that is free of vulns and to remediate ones when they are identified.
This breaks down when the “organization” in question is just a few people with some free time who made something so fundamentally awesome that the world depends on it and have never been compensated for their incredible contributions to everyone.
“Responsible disclosure” in this case needs a bit of a redesign when the org is volunteer work instead of a company making profit. There’s no real reputational harm to ffmpeg, since users don’t necessarily know they use it, but the broader community recognizes the risk, and the maintainers feel obligated to fix issues. Additionally, a publicly disclosed vulnerability puts tons of innocent users at risk.
I don’t dislike AI-based code analysis. It can theoretically prevent zero-days when someone malicious else finds an issue first, but running AI tools against that xkcd-tiny-block and expecting that the maintainers have the ability to fit into a billion-dollar-company’s timeline is unreasonable. Google et al. should keep risks or vulnerabilities private when disclosing them to FOSS maintainers instead of holding them to the same standard as a corporation by posting issues to a git repo.
A RCE or similar critical issue in ffmpeg would be a real issue with widespread impact, given how broadly it is used. That suggests that it should be broadly supported. The social contract with LGPL, GPL, and FOSS in general is that code is released ‘as is, with no warranty’. Want to fix a problem, go for it! Only calling out problem just makes you a dick: Google, Amazon, Microsoft, 100’s of others.
As many have already stated: If a grossly profitable business depends on a “tiny” piece of code they aren’t paying for, they have two options: pay for the code (fund maintenance) or make their own. I’d also support a few headlines like “New Google Chrome vulnerability will let hackers steal you children and house!” or “watching this youtube video will set your computer on fire!”
The main issue there is that project zero, where if you ignore what Google has reported, they will just go ahead and disclose the issue.
I love you ffmpeg
Its insane just how important it is and the vast majority of the world doesn’t even know it exists. Truly unsung heroes (everyone who works on it).
I’m surprised nobody posted the xkcd comic. I think Randall had ImageMagick in mind (he names it in the alt text) but it applies to ffmpeg as well.
I’ll bite!
I always used to think about curl when I see that comic. Maybe less important in recent years but still a corner stone.
Curl is less important in the cloudverse?
Ffmpeg has been such cool software to learn. Simple filter chains can do incredible things
Please, go on!
Well for instance you can use it to apply tranparencys or other effects using the geq filter. It applies a formula to every pixel in the input and can adjust alpha, rgb values, and gamma. You can also use conditionals in your formula and have access to the current pixels location and value, so you can apply your transforms only to specific regions if you want, or do an adjustment keyed only to a specific color.
You’re talking about green screen right? :D
That and more really. You could use it to do a green screen effect, but you can also use it to adjust color balance, brightness or do weirder things like swapping values between colors. It gets really crazy when are working with full video because the time of the current frame is also available to be incorporated, so you can even do animated effects.
Another powerful filter is the convolve filter. That allows you to apply matrix transformations, which can for example be used to apply a homography matrix and adjust a videos perspective.
Have you seen this? Green screen on crack.
But what will our llms do?!
They are welcome to fix the bugs themselves and make it public. Valve have done a fair bit of that with making windows games run on Linux IIRC.
They could even use their LLMs to fix the bugs, and everyone else can reject the shitty bugs it creates.
Exactly my thoughts, give the devs access to your wonderful LLM’s and a decent server to help fix the issue. Google kinda behaving like an entitled first day Stack user.
Next weeks headline
FFmpeg to Google: Please stop submitting these shitty LLM created pull requests
They’re profiting from FOSS, nobody is trying to prevent them from doing so, but they refuse to spend small amounts of money helping out part-time coders … and you know why. That money is going to the mid-level managers themselves.
Do the right thing and help your company in the medium run, or pocket chump change? Yeah, easy answer.
They should just call this an incomplete AI output. If the AI is so good, it should create the fix, add tests, and ensure nothing else breaks.
Then file the bug back to them
