Is this an oblique reference to OSS Fuzz, or something else?
replyIt seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.
The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.
They are contributing back, which is a good thing. Other companies just fork, fix, and forbid to contribute back.
replyBurning out maintainers isn't "contributing back".
replyDo you have any examples of Google submitting vulnerabilities and refusing to assist maintainers create a patch when asked to do so?
replyWasn’t that a story with ffmpeg a few months ago? And people were getting roasted for even the suggestion that google should contribute patches?
replyPeople were getting rightly roasted for calling google a leech when A) google does donate money to ffmpeg and B) that bug was in a weird format google almost certainly has disabled so they're not reporting it to get free labor.
reply