November 11, 2025
Popcorn vs. Patch notes
FFmpeg to Google: Fund Us or Stop Sending Bugs
Internet calls out Big Tech freeloading while volunteers fix 1995 game glitches
TLDR: FFmpeg, the volunteer-run video engine behind major apps, told Google to fund maintenance or stop AI-driven bug dumps after an obscure 1995 codec issue. Comments split: some demand Big Tech pay up, others say every bug deserves fixing, spotlighting how unpaid open-source work keeps the internet running.
The internet grabbed popcorn for an unlikely fight: FFmpeg — the invisible engine powering YouTube, Chrome, VLC, and half your apps — told Google to either pay up or stop flooding volunteers with bug reports. The spark? A Google AI flagged a “medium” issue decoding the first 10–20 frames of a 1995 game video format. FFmpeg’s unpaid maintainers fixed it, then called this kind of thing “CVE slop” (CVE is the public catalog for security flaws). Cue drama.
One camp cheered the “fund it or zip it” stance, arguing that public disclosures aimed at tiny, resource-starved projects create more risk than reward. Another camp fired back with “a bug is a bug — just fix it,” insisting that reporting problems is fair game even if they’re niche. Cynics went full spice, saying Google only cares about open source when it feeds its “advertising panopticon.” Meanwhile, meta-chaos erupted as a commenter accused the coverage itself of being AI-generated link, adding a fresh layer of slop to the slop.
Bottom line: a 1995 space-game glitch ignited a 2025 debate over open-source labor, Big Tech responsibility, and whether AI’s bug-blizzard helps or just burns out volunteers. The comments? A perfect split-screen of outrage, “fix it,” and meme-fueled eye-rolls.
Key Points
- •FFmpeg is a widely used, underfunded open-source multimedia framework maintained largely by volunteers.
- •A public debate emerged over security vulnerability reporting and responsibility, involving FFmpeg, Google, Dan Lorenc (Chainguard), and others.
- •A Google AI agent reported an obscure FFmpeg bug in the LucasArts Smush codec; FFmpeg patched it but criticized such low-value reports as “CVE slop.”
- •FFmpeg asserts that large companies relying on its software should provide patches or funding instead of offloading work to volunteers.
- •Similar pressures affect other projects, with libxml2’s former maintainer resigning due to the burden from frequent third-party security reports, including from Google Project Zero.