This was a fantastic read, thank you very much for posting

(There are many people quoted in the article, the article isn’t agreeing with this person, I just wanted to reply to this persons points in particular)

Lorenc argues back, in an e-mail to me, that “Creating and publishing software under an open source license is an act of contribution to the digital commons. Finding and publishing information about security issues in that software is also an act of contribution to the same commons.

“The position of the FFmpeg X account is that somehow disclosing vulnerabilities is a bad thing. Google provides more assistance to open source software projects than almost any other organization, and these debates are more likely to drive away potential sponsors than to attract them.”

It being a positive contribution to the commons is absolutely true, but doesn’t change the fact that you’re doing it in a way that damages the project. Google created the problem with their change in vulnerability disclosure policy (and more existentially by building their ai vulnerability finder), and they have the power to fix the problem they created by funding the fixes. Either don’t make the problem, or fix the problem you’re making.

There’s no way around it, google holds all the card here, I don’t know how he could fail to understand that. What is ffmpeg gonna do, magically fix more issues than theyre capable of without funding and somehow not burn out their contributors? Google can literally just either fix the problem by funding them, or not create the fucking problem in the first place. Write a different policy for projects of different scales, or just don’t make this change to the vulnerability publishing policy.

Ffpmeg has been very clear this will damage the project, that Google depends on. This is very explicitly a problem of their own creation that theyre foisting onto an open source volunteer project 😅