FFmpeg to Google: Fund Us or Stop Sending Bugs
11 days ago
- #CorporateResponsibility
- #OpenSource
- #FFmpeg
- FFmpeg is a widely used open-source multimedia framework essential for video and audio processing across platforms and devices.
- Large tech companies like Google rely on FFmpeg but contribute little funding, leaving maintenance to unpaid volunteers.
- A debate arose after Google's AI found an obscure bug in FFmpeg, highlighting the burden on volunteer maintainers.
- FFmpeg and other open-source projects struggle with the workload of fixing AI-generated vulnerabilities without financial support.
- Google's security disclosure policy pressures maintainers with a 90-day deadline, regardless of their volunteer status.
- Maintainers argue that trillion-dollar corporations should fund fixes or provide patches instead of relying on volunteers.
- The former maintainer of libxml2 resigned due to unsustainable workload from handling third-party security issues.
- Security experts emphasize the need for responsible vulnerability disclosures but acknowledge the lack of resources for volunteers.
- Without corporate support, critical open-source projects like FFmpeg and libxml2 risk being abandoned, posing security risks.