In recent days there has been some fiery debate going on between two entities (and others). One of those is Google. Another one is called FFmpeg. Now you might be wondering what this FFmpeg is. Let me tell you.
In short, FFmpeg is a piece of software that pretty much everyone uses directly or indirectly because it is THE tool for almost anything audio related. Do you listen to music? More than likely your music player uses ffmpeg to make your ears bleed. Play games? Yup, it's there and hollers at you when you open that loot box. Google itself uses ffmpeg. Most audio tools more than likely use ffmpeg under the hood. So this little known project is pretty much a foundational piece of modern day software infrastructure.
So what's the big brouhaha? Well Google started to do what you'd expect any company worth it's salt to do: they started baking AI into everything. Including analyzing software for stuff that other's might use for nefarious purposes. Then people would take these AI findings and report these vulnerabilities to the folks at ffmpeg so they can be fixed.
Here's ffmpegs problem with all this as I see it: Bunch of people report vulnerabilities in their code but once the report is made, like Pontius Pilate they wash their hands off the affair and if ffmpeg gets cruficied for having tons of vulnerabilities in them, oh well that's their problem. And a number of people seem to think that ffmpeg has a responsibility and an obligation to fix these bugs in a timely fashion less a bad guy hacks you and reveals your hub habits through your video player.
Here's a newsflash for all those choosing beggars: They do not. There is no contract. Well technically there is. It is called a license and everyone who uses that software, agree to the license. And the license is very clear about the obligations of the developer: they have none. No warranties. No support. The software is there for you to use for free. That's the tradeoff. Free stuff for zero obligation for neither side.
So ffmpeg makes a statement that basically says "fixes are welcome too" and a huge ton of people took umbridge over this statement. So now there is a flamewar going on on X whether ffmpeg should be called into account for their public statements (someone actually went and offered money for the project if the X account maintainer resigned) or are they justified in their slightly snarky sounding request for fixes alongside the vulnerability report.
But that's good right? Vulnerable software should be fixed and the developers should be eager to help. But here's the question: whose gonne pay for it? For the time and the effort? The maintenance?
I sense some confusion. Let's blow some minds with a tiny little open secret that modern day software world has.
A considerable amount of software that runs our daily lives is developed, maintained and released by volunteers. People who do this development work for funsies. A hobbyist. Critical infrastructure of our digital lives is more often that not, a charity project.
And such is the reality with ffmpeg. While you might think that a piece of software this important has a company or a foundation backing it with lots and lots of money (perhaps from big G themselves) so these problems can be fixed in a timely manner and devopers compensated for their efforts, the truth sadly is something else entirely.
So we have on one hand a multi-trillion company bitching to a charity that they don't do enough free labor to make the a bigger multi-trillion company. And when that charity says they could use some help in fixing some of those issues, trillion dollar company employees (who by the way get paid via salaries, bug bounties and of course, fame in their field for finding those bugs) throw a hissy fit over it since apprently asking you to help fix what you technically broke is too much trouble. If AI can find the bug, it sure as hell can help you vibe code at least an attempt of a fix.
All of this reveals an underlying problem that most people are eager and willing to ignore for the sake of convenience: volunteers run, develop and maintains some of the most used pieces of software in the world. And we (yes, hastag me too) take advantage of that goodwill with little to no regard for the effort it takes to do this stuff. No thank you, attaboy or good job. Most of us consume these products passively and those few who do actively are too busy being convenienced to really sit down and appreciate that a volunteer's work just saved you hours of labor. Only when something goes wrong, do we take note.
So instead of continuing to rant because I really have no solution to this problem I suppose I should just sit down and say this: Thank you, developers of ffmpeg. Good job and I hope you don't lose heart. Keep the faith.