Great Question! Here's an example of it in action: >where is this demand that you must do something >You can leave your users vulnerable to being hacked for months, if you so desire. Coercion takes many forms, it does not need to be explicit.
>Let's hope a bug in some 1990s game codec doesn't get some ffmpeg core developer popped.
@FFmpeg "They cant stop anybody else finding it and exploiting it." - yes they absolutely can. By patching it.
@l8x_m0xy Security "researchers" right now. (Not all, some send patches)
@FFmpeg If you put as much time into making ancient, unmaintained codecs disabled by default as you've spent whinging on social media, you'd no longer have a problem. Or if you're bored, add a GENERAL PURPOSE facility to run codecs in a sandbox under seccomp. You're no victim.
@RightTechGadfly Send patches
@FFmpeg Google has a history of this behavior https://www.cgisecurity.com/20...
@FFmpeg The vulnerability was there already. Advocating for no disclosure deadline (and rest of the implications you've made) is just a poorly disguised desire for silencing researchers. Thank god you aren't a commercial vendor, then you'd likely cease & desist them.
@FFmpeg Genuine question here from someone who respects your work : if they find a security flaw in some old codec, why not temporarily take that codec out? That way you don't have to fix the bug until you get to it while remaining secure.
@FFmpeg Genuine question: why "good catch, hit me up once you have a fix" is not an default responce to bug reports in foss? Like, if you can find some obscure corner case - you should more than know how to fix it, no?
@FFmpeg It seems to me that (one of) the big beefs they legit have is Google pays a lot of money to do security research (good) but when they find something used everywhere (including by them I assume), they also DON’T pay their folks to go “and here’s the fix”
@FFmpeg European Union Cyber Resiliency Act answers this question quite clearly: every who uses ffmpeg for business purposes and already fixed the issue is obliged to contribute it to ffmpeg.
@FFmpeg I guess so but as a project I wouldn't be too phased about it when the vulnerability is unimportant anyways. I mean, there will always be someone whining about xyz, so I feel like it's not worth paying attention to them as long as it's clear why their whining is irrelevant
@FFmpeg The little man takes great joy in having something that allows him to push others around.
@FFmpeg This whole thing boils down to miserable twitter users who want to complain without contributing
@FFmpeg Holy fuck you guys are something else 😂 Get medication dude