* [FFmpeg-devel] question about submitting security patches @ 2025-11-08 8:34 Thomas Dullien via ffmpeg-devel 2025-11-10 16:03 ` [FFmpeg-devel] " Rémi Denis-Courmont via ffmpeg-devel 2025-11-13 5:36 ` compn via ffmpeg-devel 0 siblings, 2 replies; 16+ messages in thread From: Thomas Dullien via ffmpeg-devel @ 2025-11-08 8:34 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Thomas Dullien Hey all, after the recent social media discussion around P0 reported bugs etc. I'd like to contribute a few patches for a few open crash bugs in the bugtracker (and hopefully for the remaining BIGSLEEP bug reports, too). I am using a coding assistant combined with a stack of ASAN + rr, and while I am not an export on ffmpeg, I am some sort of expert on vulnerabilities. I have prepared AI-assisted patches for https://trac.ffmpeg.org/ticket/11693 and https://trac.ffmpeg.org/ticket/11691, and I'll review them some more but both the root-cause analysis and the patch seem good. What's the best way to submit these patches? There is the bug tracker, there is this mailing list - what's the best way to contribute them? Cheers, Thomas _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-08 8:34 [FFmpeg-devel] question about submitting security patches Thomas Dullien via ffmpeg-devel @ 2025-11-10 16:03 ` Rémi Denis-Courmont via ffmpeg-devel 2025-11-10 16:19 ` Thomas Dullien via ffmpeg-devel 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel 2025-11-13 5:36 ` compn via ffmpeg-devel 1 sibling, 2 replies; 16+ messages in thread From: Rémi Denis-Courmont via ffmpeg-devel @ 2025-11-10 16:03 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Rémi Denis-Courmont Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas Dullien via ffmpeg-devel a écrit : > What's the best way to submit these patches? There is the bug tracker, > there is this mailing list - what's the best way to contribute them? I don't think that DNN-generated patches are compatible with the LGPL in the first place, or it is at best very uncertain that they are. So then you cannot contribute DNN-generated patches in any useful way at all. -- Rémi Denis-Courmont https://www.remlab.net/ _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-10 16:03 ` [FFmpeg-devel] " Rémi Denis-Courmont via ffmpeg-devel @ 2025-11-10 16:19 ` Thomas Dullien via ffmpeg-devel 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel 1 sibling, 0 replies; 16+ messages in thread From: Thomas Dullien via ffmpeg-devel @ 2025-11-10 16:19 UTC (permalink / raw) To: FFmpeg development discussions and patches Cc: Rémi Denis-Courmont, Thomas Dullien Hey there, I've ended up creating a PR and made sure the patch code itself is human-written, hence untainted - LLMs are just used in the crash triage and analysis. Thanks for the reply! One (open) question: is generating commit messages by an LLM permissible, or is that something that should also be done by human hand? Cheers, Thomas On Mon, Nov 10, 2025, 5:04 PM Rémi Denis-Courmont via ffmpeg-devel < ffmpeg-devel@ffmpeg.org> wrote: > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika > Thomas > Dullien via ffmpeg-devel a écrit : > > What's the best way to submit these patches? There is the bug tracker, > > there is this mailing list - what's the best way to contribute them? > > I don't think that DNN-generated patches are compatible with the LGPL in > the > first place, or it is at best very uncertain that they are. So then you > cannot > contribute DNN-generated patches in any useful way at all. > > -- > Rémi Denis-Courmont > https://www.remlab.net/ > > > > _______________________________________________ > ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org > To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org > _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-10 16:03 ` [FFmpeg-devel] " Rémi Denis-Courmont via ffmpeg-devel 2025-11-10 16:19 ` Thomas Dullien via ffmpeg-devel @ 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel 2025-11-11 6:49 ` Rémi Denis-Courmont via ffmpeg-devel ` (2 more replies) 1 sibling, 3 replies; 16+ messages in thread From: Michael Niedermayer via ffmpeg-devel @ 2025-11-11 2:59 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: Michael Niedermayer [-- Attachment #1.1: Type: text/plain, Size: 940 bytes --] Hi Remi On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote: > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas > Dullien via ffmpeg-devel a écrit : > > What's the best way to submit these patches? There is the bug tracker, > > there is this mailing list - what's the best way to contribute them? > > I don't think that DNN-generated patches are compatible with the LGPL in the > first place, or it is at best very uncertain that they are. So then you cannot > contribute DNN-generated patches in any useful way at all. If you have concrete legal analysis or case law that supports this claim, please share it. thx -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB In fact, the RIAA has been known to suggest that students drop out of college or go to community college in order to be able to afford settlements. -- The RIAA [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 163 bytes --] _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel @ 2025-11-11 6:49 ` Rémi Denis-Courmont via ffmpeg-devel 2025-11-11 8:27 ` Gyan Doshi via ffmpeg-devel 2025-11-12 8:09 ` Kieran Kunhya via ffmpeg-devel 2025-11-12 8:24 ` Christophe Gisquet via ffmpeg-devel 2 siblings, 1 reply; 16+ messages in thread From: Rémi Denis-Courmont via ffmpeg-devel @ 2025-11-11 6:49 UTC (permalink / raw) To: FFmpeg development discussions and patches, Michael Niedermayer via ffmpeg-devel Cc: Michael Niedermayer, Rémi Denis-Courmont Le 11 novembre 2025 04:59:42 GMT+02:00, Michael Niedermayer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org> a écrit : >Hi Remi > >On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote: >> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas >> Dullien via ffmpeg-devel a écrit : >> > What's the best way to submit these patches? There is the bug tracker, >> > there is this mailing list - what's the best way to contribute them? >> >> I don't think that DNN-generated patches are compatible with the LGPL in the >> first place, or it is at best very uncertain that they are. So then you cannot >> contribute DNN-generated patches in any useful way at all. > >If you have concrete legal analysis or case law that supports this claim, please share it. You can check what LF, Fedora, QEMU, etc, and their lawyers already did on that front. _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-11 6:49 ` Rémi Denis-Courmont via ffmpeg-devel @ 2025-11-11 8:27 ` Gyan Doshi via ffmpeg-devel 0 siblings, 0 replies; 16+ messages in thread From: Gyan Doshi via ffmpeg-devel @ 2025-11-11 8:27 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Gyan Doshi On 2025-11-11 12:19 pm, Rémi Denis-Courmont via ffmpeg-devel wrote: > > Le 11 novembre 2025 04:59:42 GMT+02:00, Michael Niedermayer via ffmpeg-devel<ffmpeg-devel@ffmpeg.org> a écrit : >> Hi Remi >> >> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote: >>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas >>> Dullien via ffmpeg-devel a écrit : >>>> What's the best way to submit these patches? There is the bug tracker, >>>> there is this mailing list - what's the best way to contribute them? >>> I don't think that DNN-generated patches are compatible with the LGPL in the >>> first place, or it is at best very uncertain that they are. So then you cannot >>> contribute DNN-generated patches in any useful way at all. >> If you have concrete legal analysis or case law that supports this claim, please share it. > You can check what LF, Fedora, QEMU, etc, and their lawyers already did on that front. QEMU is the only one which forbids AI https://github.com/qemu/qemu/commit/3d40db0efc The others provide caveats but do provide a pathway for AI contributions. The Linux Foundation says, "Code or other content generated in whole or in part using AI tools can be contributed to Linux Foundation projects. ..." https://www.linuxfoundation.org/legal/generative-ai Fedora says, this, "You *MAY* use AI assistance for contributing to Fedora, as long as you follow the principles described below..." https://docs.fedoraproject.org/en-US/council/policy/ai-contribution-policy/ Regards, Gyan _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel 2025-11-11 6:49 ` Rémi Denis-Courmont via ffmpeg-devel @ 2025-11-12 8:09 ` Kieran Kunhya via ffmpeg-devel 2025-11-13 3:06 ` Michael Niedermayer via ffmpeg-devel 2025-11-12 8:24 ` Christophe Gisquet via ffmpeg-devel 2 siblings, 1 reply; 16+ messages in thread From: Kieran Kunhya via ffmpeg-devel @ 2025-11-12 8:09 UTC (permalink / raw) To: FFmpeg development discussions and patches Cc: Michael Niedermayer, Kieran Kunhya On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < ffmpeg-devel@ffmpeg.org> wrote: > Hi Remi > > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via > ffmpeg-devel wrote: > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika > Thomas > > Dullien via ffmpeg-devel a écrit : > > > What's the best way to submit these patches? There is the bug tracker, > > > there is this mailing list - what's the best way to contribute them? > > > > I don't think that DNN-generated patches are compatible with the LGPL in > the > > first place, or it is at best very uncertain that they are. So then you > cannot > > contribute DNN-generated patches in any useful way at all. > > If you have concrete legal analysis or case law that supports this claim, > please share it. > If an LLM was trained on the leaked Microsoft Windows source code and it used elements of that code when asked to write an FFmpeg patch, would that patch be acceptable in your eyes? Kieran > _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-12 8:09 ` Kieran Kunhya via ffmpeg-devel @ 2025-11-13 3:06 ` Michael Niedermayer via ffmpeg-devel 2025-11-13 3:52 ` Kieran Kunhya via ffmpeg-devel 2025-11-13 14:50 ` Timo Rothenpieler via ffmpeg-devel 0 siblings, 2 replies; 16+ messages in thread From: Michael Niedermayer via ffmpeg-devel @ 2025-11-13 3:06 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: Michael Niedermayer [-- Attachment #1.1: Type: text/plain, Size: 1637 bytes --] Hi Kieran On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel wrote: > On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < > ffmpeg-devel@ffmpeg.org> wrote: > > > Hi Remi > > > > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via > > ffmpeg-devel wrote: > > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika > > Thomas > > > Dullien via ffmpeg-devel a écrit : > > > > What's the best way to submit these patches? There is the bug tracker, > > > > there is this mailing list - what's the best way to contribute them? > > > > > > I don't think that DNN-generated patches are compatible with the LGPL in > > the > > > first place, or it is at best very uncertain that they are. So then you > > cannot > > > contribute DNN-generated patches in any useful way at all. > > > > If you have concrete legal analysis or case law that supports this claim, > > please share it. > > > > If an LLM was trained on the leaked Microsoft Windows source code and it > used elements of that code when asked to write an FFmpeg patch, would that > patch be acceptable in your eyes? If a human was trained on the leaked Microsoft Windows source code and he used elements of that code when asked to write an FFmpeg patch, would that patch be acceptable in your eyes? We should forbid human written code? thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No human being will ever know the Truth, for even if they happen to say it by chance, they would not even known they had done so. -- Xenophanes [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 163 bytes --] _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-13 3:06 ` Michael Niedermayer via ffmpeg-devel @ 2025-11-13 3:52 ` Kieran Kunhya via ffmpeg-devel 2025-11-13 18:38 ` Michael Niedermayer via ffmpeg-devel 2025-11-13 14:50 ` Timo Rothenpieler via ffmpeg-devel 1 sibling, 1 reply; 16+ messages in thread From: Kieran Kunhya via ffmpeg-devel @ 2025-11-13 3:52 UTC (permalink / raw) To: FFmpeg development discussions and patches Cc: Michael Niedermayer, Kieran Kunhya On Thu, 13 Nov 2025, 03:07 Michael Niedermayer via ffmpeg-devel, < ffmpeg-devel@ffmpeg.org> wrote: > Hi Kieran > > On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel > wrote: > > On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < > > ffmpeg-devel@ffmpeg.org> wrote: > > > > > Hi Remi > > > > > > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via > > > ffmpeg-devel wrote: > > > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika > > > Thomas > > > > Dullien via ffmpeg-devel a écrit : > > > > > What's the best way to submit these patches? There is the bug > tracker, > > > > > there is this mailing list - what's the best way to contribute > them? > > > > > > > > I don't think that DNN-generated patches are compatible with the > LGPL in > > > the > > > > first place, or it is at best very uncertain that they are. So then > you > > > cannot > > > > contribute DNN-generated patches in any useful way at all. > > > > > > If you have concrete legal analysis or case law that supports this > claim, > > > please share it. > > > > > > > If an LLM was trained on the leaked Microsoft Windows source code and it > > used elements of that code when asked to write an FFmpeg patch, would > that > > patch be acceptable in your eyes? > > If a human was trained on the leaked Microsoft Windows source code and he > used elements of that code when asked to write an FFmpeg patch, would that > patch be acceptable in your eyes? > > We should forbid human written code? > An AI is not a human. AIs have been shown to regurgitate copyrighted material when asked to solve a problem. Kieran > _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-13 3:52 ` Kieran Kunhya via ffmpeg-devel @ 2025-11-13 18:38 ` Michael Niedermayer via ffmpeg-devel 0 siblings, 0 replies; 16+ messages in thread From: Michael Niedermayer via ffmpeg-devel @ 2025-11-13 18:38 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: Michael Niedermayer [-- Attachment #1.1: Type: text/plain, Size: 2139 bytes --] Hi Kieran On Thu, Nov 13, 2025 at 03:52:17AM +0000, Kieran Kunhya via ffmpeg-devel wrote: > On Thu, 13 Nov 2025, 03:07 Michael Niedermayer via ffmpeg-devel, < > ffmpeg-devel@ffmpeg.org> wrote: > > > Hi Kieran > > > > On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel > > wrote: > > > On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < > > > ffmpeg-devel@ffmpeg.org> wrote: > > > > > > > Hi Remi > > > > > > > > On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via > > > > ffmpeg-devel wrote: > > > > > Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika > > > > Thomas > > > > > Dullien via ffmpeg-devel a écrit : > > > > > > What's the best way to submit these patches? There is the bug > > tracker, > > > > > > there is this mailing list - what's the best way to contribute > > them? > > > > > > > > > > I don't think that DNN-generated patches are compatible with the > > LGPL in > > > > the > > > > > first place, or it is at best very uncertain that they are. So then > > you > > > > cannot > > > > > contribute DNN-generated patches in any useful way at all. > > > > > > > > If you have concrete legal analysis or case law that supports this > > claim, > > > > please share it. > > > > > > > > > > If an LLM was trained on the leaked Microsoft Windows source code and it > > > used elements of that code when asked to write an FFmpeg patch, would > > that > > > patch be acceptable in your eyes? > > > > If a human was trained on the leaked Microsoft Windows source code and he > > used elements of that code when asked to write an FFmpeg patch, would that > > patch be acceptable in your eyes? > > > > We should forbid human written code? > > > > An AI is not a human. > > AIs have been shown to regurgitate copyrighted material when asked to solve > a problem. Humans have done that as well, still we allow human contributions thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Some Animals are More Equal Than Others. - George Orwell's book Animal Farm [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 163 bytes --] _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-13 3:06 ` Michael Niedermayer via ffmpeg-devel 2025-11-13 3:52 ` Kieran Kunhya via ffmpeg-devel @ 2025-11-13 14:50 ` Timo Rothenpieler via ffmpeg-devel 2025-11-13 18:59 ` ff--- via ffmpeg-devel 2025-11-14 7:40 ` Tobias Rapp via ffmpeg-devel 1 sibling, 2 replies; 16+ messages in thread From: Timo Rothenpieler via ffmpeg-devel @ 2025-11-13 14:50 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Timo Rothenpieler On 13/11/2025 04:06, Michael Niedermayer via ffmpeg-devel wrote: > Hi Kieran > > On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via ffmpeg-devel wrote: >> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < >> ffmpeg-devel@ffmpeg.org> wrote: >> >>> Hi Remi >>> >>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via >>> ffmpeg-devel wrote: >>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika >>> Thomas >>>> Dullien via ffmpeg-devel a écrit : >>>>> What's the best way to submit these patches? There is the bug tracker, >>>>> there is this mailing list - what's the best way to contribute them? >>>> >>>> I don't think that DNN-generated patches are compatible with the LGPL in >>> the >>>> first place, or it is at best very uncertain that they are. So then you >>> cannot >>>> contribute DNN-generated patches in any useful way at all. >>> >>> If you have concrete legal analysis or case law that supports this claim, >>> please share it. >>> >> >> If an LLM was trained on the leaked Microsoft Windows source code and it >> used elements of that code when asked to write an FFmpeg patch, would that >> patch be acceptable in your eyes? > > If a human was trained on the leaked Microsoft Windows source code and he > used elements of that code when asked to write an FFmpeg patch, would that > patch be acceptable in your eyes? > > We should forbid human written code? I mean, that is in fact generally how situations like that are handled. At least I have seen it multiple times on Projects like the Dolphin Emulator that people who read the leaked Nintendo code were barred from ever contributing again once found out, cause it would give Nintendo legal ground to take down the project. _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-13 14:50 ` Timo Rothenpieler via ffmpeg-devel @ 2025-11-13 18:59 ` ff--- via ffmpeg-devel 2025-11-14 7:40 ` Tobias Rapp via ffmpeg-devel 1 sibling, 0 replies; 16+ messages in thread From: ff--- via ffmpeg-devel @ 2025-11-13 18:59 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: ff On 2025-11-13 06:50, Timo Rothenpieler via ffmpeg-devel wrote: > On 13/11/2025 04:06, Michael Niedermayer via ffmpeg-devel wrote: >> Hi Kieran >> >> On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via >> ffmpeg-devel wrote: >>> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < >>> ffmpeg-devel@ffmpeg.org> wrote: >>> >>>> Hi Remi >>>> >>>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via >>>> ffmpeg-devel wrote: >>>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan >>>>> normaaliaika >>>> Thomas >>>>> Dullien via ffmpeg-devel a écrit : >>>>>> What's the best way to submit these patches? There is the bug >>>>>> tracker, >>>>>> there is this mailing list - what's the best way to contribute >>>>>> them? >>>>> >>>>> I don't think that DNN-generated patches are compatible with the >>>>> LGPL in >>>> the >>>>> first place, or it is at best very uncertain that they are. So then >>>>> you >>>> cannot >>>>> contribute DNN-generated patches in any useful way at all. >>>> >>>> If you have concrete legal analysis or case law that supports this >>>> claim, >>>> please share it. >>>> >>> >>> If an LLM was trained on the leaked Microsoft Windows source code and >>> it >>> used elements of that code when asked to write an FFmpeg patch, would >>> that >>> patch be acceptable in your eyes? >> >> If a human was trained on the leaked Microsoft Windows source code and >> he >> used elements of that code when asked to write an FFmpeg patch, would >> that >> patch be acceptable in your eyes? >> >> We should forbid human written code? > > I mean, that is in fact generally how situations like that are handled. > At least I have seen it multiple times on Projects like the Dolphin > Emulator that people who read the leaked Nintendo code were barred from > ever contributing again once found out, cause it would give Nintendo > legal ground to take down the project. the small fixes to regular code in ffmpeg wont be fixed with 1000 lines of windows/nintendo source code so its a bit of a moot point. -compn _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-13 14:50 ` Timo Rothenpieler via ffmpeg-devel 2025-11-13 18:59 ` ff--- via ffmpeg-devel @ 2025-11-14 7:40 ` Tobias Rapp via ffmpeg-devel 1 sibling, 0 replies; 16+ messages in thread From: Tobias Rapp via ffmpeg-devel @ 2025-11-14 7:40 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Tobias Rapp On 13/11/2025 15:50, Timo Rothenpieler via ffmpeg-devel wrote: > On 13/11/2025 04:06, Michael Niedermayer via ffmpeg-devel wrote: >> Hi Kieran >> >> On Wed, Nov 12, 2025 at 12:09:00AM -0800, Kieran Kunhya via >> ffmpeg-devel wrote: >>> On Mon, 10 Nov 2025, 19:00 Michael Niedermayer via ffmpeg-devel, < >>> ffmpeg-devel@ffmpeg.org> wrote: >>> >>>> Hi Remi >>>> >>>> On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via >>>> ffmpeg-devel wrote: >>>>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika >>>> Thomas >>>>> Dullien via ffmpeg-devel a écrit : >>>>>> What's the best way to submit these patches? There is the bug >>>>>> tracker, >>>>>> there is this mailing list - what's the best way to contribute them? >>>>> >>>>> I don't think that DNN-generated patches are compatible with the >>>>> LGPL in >>>> the >>>>> first place, or it is at best very uncertain that they are. So >>>>> then you >>>> cannot >>>>> contribute DNN-generated patches in any useful way at all. >>>> >>>> If you have concrete legal analysis or case law that supports this >>>> claim, >>>> please share it. >>>> >>> >>> If an LLM was trained on the leaked Microsoft Windows source code >>> and it >>> used elements of that code when asked to write an FFmpeg patch, >>> would that >>> patch be acceptable in your eyes? >> >> If a human was trained on the leaked Microsoft Windows source code >> and he >> used elements of that code when asked to write an FFmpeg patch, would >> that >> patch be acceptable in your eyes? >> >> We should forbid human written code? > > I mean, that is in fact generally how situations like that are handled. > At least I have seen it multiple times on Projects like the Dolphin > Emulator that people who read the leaked Nintendo code were barred > from ever contributing again once found out, cause it would give > Nintendo legal ground to take down the project. That seems a bit over-cautious, like banning all contributions where LLMs have been involved. The discussion was started with the topic of security patches in mind, and I don't think that the typical 1-3 line patch for buffer overruns or pointer double free can be considered copyrightable material. This is different from implementing a new codec, or creating a new filter. Regards, Tobias _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel 2025-11-11 6:49 ` Rémi Denis-Courmont via ffmpeg-devel 2025-11-12 8:09 ` Kieran Kunhya via ffmpeg-devel @ 2025-11-12 8:24 ` Christophe Gisquet via ffmpeg-devel 2025-11-12 10:26 ` Thomas Dullien via ffmpeg-devel 2 siblings, 1 reply; 16+ messages in thread From: Christophe Gisquet via ffmpeg-devel @ 2025-11-12 8:24 UTC (permalink / raw) To: FFmpeg development discussions and patches Cc: Michael Niedermayer, Christophe Gisquet Hello, Le mar. 11 nov. 2025 à 04:01, Michael Niedermayer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org> a écrit : > If you have concrete legal analysis or case law that supports this claim, please share it. I can name at least one Fortune 500 companies, that maybe won't disclose publicly these facts, that did equivalent analysis and have basically forbidden use of "AI"-generated code for distributed software. By way of consequence, if that matters to you, maybe these companies would be very concerned that the ffmpeg project included such code. Second, Gyan's Linux Foundation link is extremely telling: 1) You need to be able to identify whether the LLM output comes from copyrighted code. ie, what it was trained on. 2) You need to report the portions affected, included with license It's not making it forbidden, just impossible to abide by. -- Christophe _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-12 8:24 ` Christophe Gisquet via ffmpeg-devel @ 2025-11-12 10:26 ` Thomas Dullien via ffmpeg-devel 0 siblings, 0 replies; 16+ messages in thread From: Thomas Dullien via ffmpeg-devel @ 2025-11-12 10:26 UTC (permalink / raw) To: FFmpeg development discussions and patches Cc: Michael Niedermayer, Christophe Gisquet, Thomas Dullien Hey all, a quick note: As a person outside of the ffmpeg project that just happened to contribute a patch, here is my understanding of the legal situation: 1) Strictly speaking, "nobody knows" what the legalities of LLMs are going to be. The big LLM providers are trying hard to establish precedent(s) so that when the actual laws are adapted, they will reflect current practice; therefore the LLM providers try very hard to establish "as practice" what is beneficial to themselves. 2) It is very instructive to look at the process that ended up with software falling under copyright law. This is much more recent than people think: The CONTU commission ran from 1974 to 1978, and it wasn't until 1980 that the law that put software firmly under the copyright regime we know today was passed. If you love copyright law, you can find their meeting notes online. 3) If you take a strict interpretation of the current copyright law, LLM weights cannot be copyrighted (they are derived by applying a formula to data, not a creative act); this hasn't stopped all the LLM companies to attach license terms to their releases, pretending as if copyright applied. The goal here is to establish precedent so that in the future LLM weights will be deemed copyrightable. 4) There are valid arguments that - if LLM weights are copyrightable - they might be derived works of the training data, and with it, the output would be tainted (by being similar to a song that consists only of sampled music: There is some input by the composer, but it remixes lots of other copyrighted material). There are practical issues with this, but more importantly, given the importance of the AI boom for US GDP currently, there are strong economic incentives for this interpretation to not gain traction. 5) So the current position that the LLM providers take is "our weights are copyrightable (even when current law says it isn't), but all your data we trained on is present in such miniscule dilution that there's no taint" (even when current law provides arguments it should be). Clearly this is primarily serving their own interests, with the goal to establish law in their favour. Given that the future legal regime is entirely unclear, it is a valid decision for each person (or group of persons) that maintains code to either (a) take the side that the most likely outcome is that LLM-generated output is taint-free, or (b) take the side that the most likely outcome is that LLM-generated output is tainted. This is less a statement about today's laws, and more a statement about "which societal forces will be stronger in shaping the consensus". I'm completely impartial to what FFmpeg (as a project) decides - for the moment, the patch is human-authored anyhow, so it doesn't matter much for *this patch*. That said, it would be helpful to know if commit messages can be authored by AI if clearly labeled. If societal consensus falls on the side of AI output being tainted, commit messages *can* be removed automatically, albeit at a cost of changing the hashes in the git commit history. Cheers, Thomas Am Mi., 12. Nov. 2025 um 09:24 Uhr schrieb Christophe Gisquet via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>: > Hello, > > Le mar. 11 nov. 2025 à 04:01, Michael Niedermayer via ffmpeg-devel > <ffmpeg-devel@ffmpeg.org> a écrit : > > If you have concrete legal analysis or case law that supports this > claim, please share it. > > I can name at least one Fortune 500 companies, that maybe won't > disclose publicly these facts, that did equivalent analysis and have > basically forbidden use of "AI"-generated code for distributed > software. > By way of consequence, if that matters to you, maybe these companies > would be very concerned that the ffmpeg project included such code. > > Second, Gyan's Linux Foundation link is extremely telling: > 1) You need to be able to identify whether the LLM output comes from > copyrighted code. ie, what it was trained on. > 2) You need to report the portions affected, included with license > It's not making it forbidden, just impossible to abide by. > > -- > Christophe > _______________________________________________ > ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org > To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org > _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
* [FFmpeg-devel] Re: question about submitting security patches 2025-11-08 8:34 [FFmpeg-devel] question about submitting security patches Thomas Dullien via ffmpeg-devel 2025-11-10 16:03 ` [FFmpeg-devel] " Rémi Denis-Courmont via ffmpeg-devel @ 2025-11-13 5:36 ` compn via ffmpeg-devel 1 sibling, 0 replies; 16+ messages in thread From: compn via ffmpeg-devel @ 2025-11-13 5:36 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: ff On 2025-11-08 00:34, Thomas Dullien via ffmpeg-devel wrote: > What's the best way to submit these patches? There is the bug tracker, > there is this > mailing list - what's the best way to contribute them? > > Cheers, > Thomas the best way is whatever you prefer. https://code.ffmpeg.org/FFmpeg is the new way. the mailing list is also OK to post patches. -compn compn@ffmpeg.org _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2025-11-14 7:42 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-11-08 8:34 [FFmpeg-devel] question about submitting security patches Thomas Dullien via ffmpeg-devel 2025-11-10 16:03 ` [FFmpeg-devel] " Rémi Denis-Courmont via ffmpeg-devel 2025-11-10 16:19 ` Thomas Dullien via ffmpeg-devel 2025-11-11 2:59 ` Michael Niedermayer via ffmpeg-devel 2025-11-11 6:49 ` Rémi Denis-Courmont via ffmpeg-devel 2025-11-11 8:27 ` Gyan Doshi via ffmpeg-devel 2025-11-12 8:09 ` Kieran Kunhya via ffmpeg-devel 2025-11-13 3:06 ` Michael Niedermayer via ffmpeg-devel 2025-11-13 3:52 ` Kieran Kunhya via ffmpeg-devel 2025-11-13 18:38 ` Michael Niedermayer via ffmpeg-devel 2025-11-13 14:50 ` Timo Rothenpieler via ffmpeg-devel 2025-11-13 18:59 ` ff--- via ffmpeg-devel 2025-11-14 7:40 ` Tobias Rapp via ffmpeg-devel 2025-11-12 8:24 ` Christophe Gisquet via ffmpeg-devel 2025-11-12 10:26 ` Thomas Dullien via ffmpeg-devel 2025-11-13 5:36 ` compn via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git