把Bug“曝光”到全网,谷歌逼FFmpeg维护者“按时修复”,遭怒怼:别光用AI找Bug,有本事你自己修啊!
猿大侠·2025-11-10 04:11

Core Viewpoint - The article discusses the conflict between Google Project Zero and the open-source framework FFmpeg regarding the responsibility of fixing bugs discovered by AI tools, highlighting the tension between corporate resources and volunteer efforts in the open-source community [1][9]. Group 1: Google Project Zero's New Policy - In July 2025, Google Project Zero introduced a "Reporting Transparency" policy, requiring the disclosure of bugs within a week of discovery, even if they are not yet fixed, while maintaining a standard 90-day repair window for vendors [3][5]. - The policy aims to reduce the "upstream patch lag," which refers to the delay in users receiving fixes after they have been implemented upstream [3][5]. Group 2: Impact on FFmpeg - In August 2025, Google reported that Big Sleep had identified around 20 bugs in various open-source projects, including FFmpeg, which is widely used in browsers and media applications [5][6]. - Although most bugs were rated as low or medium risk, FFmpeg maintainers faced public pressure to fix these issues without receiving any direct patches from Google [6][7]. Group 3: Reactions from FFmpeg Developers - FFmpeg developers expressed frustration on social media, arguing that Google’s approach places undue pressure on volunteers to fix bugs without providing any solutions [9][10]. - They criticized the situation as a form of "corporate coercion," where a wealthy company uses its AI to find vulnerabilities and shifts the repair responsibility to unpaid volunteers [9][10]. Group 4: Broader Context of Open Source Maintenance - This conflict is not isolated; similar frustrations have been voiced by other open-source maintainers, such as Nick Wellnhofer from libxml2, who highlighted the challenges of managing bug reports without compensation [11][12]. - The article emphasizes the precarious nature of open-source infrastructure, which often relies on a small number of volunteers, raising concerns about sustainability and security [12][14]. Group 5: Ongoing Debate - The debate continues, with Google asserting its goal is to ensure bugs are fixed before exploitation, while FFmpeg argues that the lack of financial support and manpower makes it unrealistic to expect timely fixes from volunteers [13][14]. - The situation underscores the fragile foundation of the modern internet, which is heavily dependent on the goodwill of a few dedicated individuals [15].