You must log in or # to comment.
What happened to forking these projects and going their own route? If they’re so confidant in AI, they could just vibe code their way through.
I mean, the simple solution is to do the same as curl’s dev: If it’s AI, it’s ignored. If it’s a corporation who hasn’t had recent code published in the codebase, it’s ignored. Bugs and vulnerabilities should be human-reported by the community.
That’s the way forward for FOSS - ignore the corps. Then start rebasing on exclusively non-commercial licenses.
AI reports are ignored because they are so frequently crap that they are almost not worth investigating. If these ffmpeg reports are from Project Zero though, they are presumably real. Shipping code with vulnerabilities is always a terrible idea. If Google can find them, attackers can also find them.
I do have to wonder how many of these vulnerabilities are actually in the assembly language parts of the codecs. I had guessed they were more likely to be at the higher levels.
deleted by creator
if Google has the resources to put AI to slop bug reports, then it also has the resources to put AI to also post the fixes. So, they should get going. No one owes Google of all corporations free labour.
I think the last thing ffmpeg devs want is AI generated bugfixes to their assembly-heavy codebase. What they should do is dedicate time for experienced devs to fix the bugs instead.
ffmpeg devs can refuse the AI generated bugfixes for all we care. What I’m heading at is if Google is going to spend AI on posting a problem, then they should also post the solution. At their own expense.
ffmpeg devs can refuse the AI generated bugfixes for all we care.
This is a separate problem, but it’s still a problem. Many projects have seen a rise in slop PRs.
curlis notorious for complaining about AI slop vulnerabilities and patch requests.But I think we both agree that Google needs to be doing something more rather than putting the workload entirely on the ffmpeg devs.
Agree! I hereby propose that Google forwards US$1000 to the developers each time the AI signals a bug. Don’t even need to write it off as expense, it’s just “investment on QA”.
Better suggestion: Stop using AI to do any of this shit. Security research and vulnerability patching should not be reliant upon de facto black-box random number generators.
I have no issue with using AI to find otherwise undiscovered security bugs. But attempting to fixing them with AI I’m not in favor of.
The user’s code is vulnerable to a buffer overflow in certain edge cases. I need to patch the vulnerability and commit the patch to the repo.
I should rewrite the existing memmanage() function to handle these edge cases. (Silently removes all other functionality)
I should modify garbagecollect() to detect these edge cases. I’ll rename it to garbage_collector() for clarity and readability. (Renames the function, calls it no where)
(Confidently) I modified the program as requested, the new version of your application should be more secure and handle memory issues much more efficiently.
/cost
Total cost: $430.1161
Total duration (API): 41s
Total duration (wall): 29m 50s
Total code changes: 18 786 lines added, 12 lines removed
You seem to be under the impression that AI is a good tool for finding undiscovered security bugs. It’s not. It’s a crapshoot that requires a ton of extra effort to verify. Using it to find bugs wastes time and has a high risk of side-effects, given that AI has no understanding and thus cannot know if an issue is important, if fixing it has unwanted implications, or if there even is one at all. And if you’re going to try to solve that with human supervision, then you may as well just have the human do the review to begin with and leave the AI out of it.
I’d like FFmpeg to get more funding, but the bugs being reported are valid security bugs, so it seems desirable to send them anyway, preferably with fixes.
Eeeeh, I think a lot of the ai reports are pretty low value. The article says:
This “medium impact issue in ffmpeg,” which the FFmpeg developers did patch, is “an issue with decoding LucasArts Smush codec, specifically the first 10-20 frames of Rebel Assault 2, a game from 1995.”
Google can pay more to fix these issues, ffmpeg already hits their 3 bounty/month limit.
If there’s a vulnerability in the codec, then someone can slip a malicious file onto some web site and use it as an exploit. It’s not only about some 30 year old game. It might be appropriate for ffmpeg to get rid of such obscure codecs, or sandbox them somehow so RCE’s can’t escape from them, even at an efficiency cost. Yes though, Google funding or even a Summer of Code sponsorship would be great.
The issue is not whether security issues exist in ffmpeg. It’s clear that vulnerabilities need to be fixed.
The issue is with who actually fixes them. Your last sentence is the core of it. Google can submit as many bug reports as they want, but they better be willing to ensure the bugs get fixed too.
If it’s a mission critical library, then the corporations should be willing to shell out money to ensure critical bugs are fixed.
Google can’t have their cake and eat it too.
Google having found the bugs can either submit bug reports or quietly sit on them, or even exploit them as spyware, among other ideas. Whether they fund ffmpeg is a completely separate question. I can see how the 90 day disclosure window can be a problem if the number of reports is high.
Bug reports that apply only to Google’s services or which surface only because of them are bugs Google needs to fix. They can and do submit bug reports all they want. Nobody is obligated to fix them.
The other part of this is, of course, disclosure. Google’s disclosure of these bugs discredits ffmpeg developers and puts the blame on them if they fail to fix the vulnerabilities. They can acknowledge the project as being a volunteer, hobby project created by others if they want, and they can treat it like that. But if they’re doing that, they should not be putting responsibilities on them.
If Google wants to use ffmpeg, they can. But a bug in ffmpeg that affects Google’s services is a bug in Google’s service. It is not the responsibility of unpaid volunteers to maintain their services for them.
I don’t understand how a bug is supposed to know whether it’s triggered inside or outside of a google service. If the bug can only be triggered in some weird, google-specific deployment, that’s one thing, but I don’t think that’s what we’re talking about here. If the bug is manifestly present in ffmpeg and it’s discovered at google, what are you saying is supposed to happen? Google should a) report it under the normal 90 day disclosure rule; b) report it but let it stay undisclosed for longer than normal, due to the resource contraints ffmpeg’s devs areunder; c) not report it and let some attacker exploit it? (b) might have some merit but (c) is insane. Once some bad actor finds out about the bug (through independent discovery or any other way), it’s going to be exploited. That might already be happening before even google finds the bug.
FFmpeg’s codebase and dev community are both exceptionally difficult and that is not helping matters, I’m sure.
There are a bunch of Rust zealots busily rewriting GNU Coreutils which in practice have been quite reliable and not that badly in need of rewriting. Maybe the zealots should turn their attention to ffmpeg (a bug minefield of long renown) instead.
Alternatively (or in addition), some effort should go into sandboxing ffmpeg so its bugs can be contained.
I don’t understand how a bug is supposed to know whether it’s triggered inside or outside of a google service.
Who found the bug, and what triggered it? Does it affect all users, or does it only affect one specific service that uses it in one specific way due to a weird, obscure set of preconditions or extraordinarily uncommon environment configuration?
Most security vulnerabilities in projects this heavily used are hyper obscure.
If the bug is manifestly present in ffmpeg and it’s discovered at google, what are you saying is supposed to happen?
e) Report it with the usual 90 day disclosure rule, then fix the bug, or at least reduce the burden as much as possible on those who do need to fix it.
Google is the one with the vulnerable service. ffmpeg itself is a tool, but the vast majority of end users don’t use it directly, therefore the ffmpeg devs are not the ones directly (or possibly at all) affected by the bug.
There are a bunch of Rust zealots busily rewriting GNU Coreutils which in practice have been quite reliable and not that badly in need of rewriting. Maybe the zealots should turn their attention to ffmpeg (a bug minefield of long renown) instead.
This is weirdly offtopic, a gross misrepresentation of what they are doing, and horribly dismissive of the fact that every single person being discussed who is doing the real work is not being paid support fees by Google. Do not dictate what they should do with their time until you enter a contract with them. Until that point, what they do is none of your business.
Alternatively (or in addition), some effort should go into sandboxing ffmpeg so its bugs can be contained.
And who will do this effort?
If they’re using “AI” to find bugs, why not use it to submit a patch along with it?.. Oh yeah, because LLM “AI” is shit at coding which is why Microsoft and other companies resort to firing their own employees for not using it to code even though it just adds extra work unless you’re doing simple stuff (which assembly never is). As if they aren’t already overwhelmed from having to do the jobs of the 5 people they laid off for every one they kept.
I would be worried if FFmpeg depended on a monopolist for any amount of funding though tbqh
Very long HN thread that I haven’t had the stomach to look at: https://news.ycombinator.com/item?id=45891016
i don’t care about ffmpeg
So you don’t ever watch videos?
Or audio either lol
Are there other formats?
Not without ffmpeg.
you’re arguing that the only format you know of is the only format. incorrect I’m afraid. gstreamer, libav, mediapipe, vapoursynth, imagemagick to name a few, there are alternatives.
You clearly have no idea what you’re talking about lol
ffmpeg is a video format conversion tool/encoder/editor and is used in pretty much everything you see or hear. It’s used in half the tools you mention!
… Why?
Chances are good that you are using ffmpeg in one form or another. It is used in tons of software and services like your browser or Twitch and YouTube.
It’s pretty close to xkcd/2347 status.
This is a matter of bad journalism, not my personal taste. Ciao
Bad journalism has nothing to do with this. Literal first paragraph of the article:
You may never have heard of FFmpeg, but you’ve used it. This open source program’s robust multimedia framework is used to process video and audio media files and streams across numerous platforms and devices. It provides tools and libraries for format conversion, aka transcoding, playback, editing, streaming, and post-production effects for both audio and video media.
If you weren’t paying attention until someone pointed out your error, just say that. We won’t crucify you.
I’m attacking the author’s bad journalism. You are defending the validity of the format. You are wrong not because the format is valid but because you are defending a point I am not attacking.
I’m sorry. It’s an egregious and embarrassing error and whoever educated you in rhetoric should refund your money, assuming you paid for it. ciao
You didn’t make any substantive critiques about the journalism, so why would anyone be responding to that? All you’ve said is that you “don’t care about ffmpeg”, which is dismissive of the software itself, so yeah obviously people are going to be responding about the software.
Why are you responding to me?
Because you’re the account who posted what I’m responding to.
Alright, lemme try to explain this:
- You stated you don’t care about FFmpeg.
- Someone asked why and stated it was useful.
- You brought up “bad journalism” in response, implying your lack of care for FFmpeg was due to the article not describing why it was useful.
- To refute your accusation of bad journalism, I pointed out the first paragraph of the article, which directly makes a case for FFmpeg and which you seemed to have missed.
- You somehow seem to think I’m defending FFmpeg in some fashion, thus missing my point. (Also, you seem to be calling FFmpeg a “format,” presumably because it has “mpeg” in the name? FFmpeg handles a litany of formats.)
The author has not done bad journalism. You just missed stuff while reading. That’s fine so long as you address it. I would ask you not insult me for pointing this out, though.
