this post was submitted on 13 Nov 2025
324 points (99.1% liked)

Technology

77164 readers
2744 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
324
FFmpeg to Google: Fund Us or Stop Sending Bugs (thenewstack.io)
submitted 2 weeks ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
33 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] nandeEbisu@lemmy.world 2 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Security vulnerabilities are different, especially when they also put a 90 day disclosure period in it which is more severe for a security exploit.

That disclosure bit, not in the article, is really what tipped this all over the edge. If it was just hey, here's a bug then its really just flooding the backlog for the maintainers who need to triage that. Disclosures are often used so people are aware that they're using libraries that the maintainer has refused to patch, but in this case its really just holding the maintainers hostage so they end up wasting their time going through irrelevant issues.

Also, many of these libraries get security audits to make sure they are actually triaging and working through their backlogs, so could lose actual funding they get.

Ideally, they would either use their supposedly capable and powerful AI code gen to just make a fix and send over a patch, or at least use LLMs on their own end to triage the issues and only send over the most sever X periodically.

[–] lmmarsano@lemmynsfw.com 1 points 2 weeks ago

Security vulnerabilities are different

No, it's still open source work, completely voluntary in the free world.

Disclosures are often used so people are aware that they’re using libraries that the maintainer has refused to patch

No, they merely tell reality: an unresolved security issue was found. How anyone handles that is their business. There is no inherent duty.

People who would rather write a fix than write & maintain their own daunting library will send a fix.

could lose actual funding they get

If someone's getting paid, and it's not worth the work, then that is also their business. It's still open source. If the solution saves more effort than doing it yourself, then the people who need it won't just let it all go to waste.

This is entirely a social issue of managing & rebuffing unrealistic expectations. It's perfectly valid to set boundaries, remind folks beggars can't be choosers, and tell them pitching in gets more done.