[FFmpeg-devel] question about submitting security patches

[FFmpeg-devel] question about submitting security patches

[Thomas Dullien via ffmpeg-devel]

Hey all,

after the recent social media discussion around P0 reported bugs etc. I'd
like to
contribute a few patches for a few open crash bugs in the bugtracker (and
hopefully
for the remaining BIGSLEEP bug reports, too).

I am using a coding assistant combined with a stack of ASAN + rr, and while
I am not
an export on ffmpeg, I am some sort of expert on vulnerabilities.

I have prepared AI-assisted patches for https://trac.ffmpeg.org/ticket/11693
and
https://trac.ffmpeg.org/ticket/11691, and I'll review them some more but
both the
root-cause analysis and the patch seem good.

What's the best way to submit these patches? There is the bug tracker,
there is this
mailing list - what's the best way to contribute them?

Cheers,
Thomas
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Rémi Denis-Courmont via ffmpeg-devel]

Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas 
Dullien via ffmpeg-devel a écrit :
> What's the best way to submit these patches? There is the bug tracker,
> there is this mailing list - what's the best way to contribute them?

I don't think that DNN-generated patches are compatible with the LGPL in the 
first place, or it is at best very uncertain that they are. So then you cannot 
contribute DNN-generated patches in any useful way at all.

-- 
Rémi Denis-Courmont
https://www.remlab.net/



_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Thomas Dullien via ffmpeg-devel]

Hey there,


I've ended up creating a PR and made sure the patch code itself is
human-written, hence untainted - LLMs are just used in the crash triage and
analysis.

Thanks for the reply!

One (open) question: is generating commit messages by an LLM permissible,
or is that something that should also be done by human hand?

Cheers,
Thomas

On Mon, Nov 10, 2025, 5:04 PM Rémi Denis-Courmont via ffmpeg-devel <
ffmpeg-devel@ffmpeg.org> wrote:

> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika
> Thomas
> Dullien via ffmpeg-devel a écrit :
> > What's the best way to submit these patches? There is the bug tracker,
> > there is this mailing list - what's the best way to contribute them?
>
> I don't think that DNN-generated patches are compatible with the LGPL in
> the
> first place, or it is at best very uncertain that they are. So then you
> cannot
> contribute DNN-generated patches in any useful way at all.
>
> --
> Rémi Denis-Courmont
> https://www.remlab.net/
>
>
>
> _______________________________________________
> ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
> To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
>
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Michael Niedermayer via ffmpeg-devel]

[-- Attachment #1.1: Type: text/plain, Size: 940 bytes --]

Hi Remi

On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote:
> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas 
> Dullien via ffmpeg-devel a écrit :
> > What's the best way to submit these patches? There is the bug tracker,
> > there is this mailing list - what's the best way to contribute them?
> 
> I don't think that DNN-generated patches are compatible with the LGPL in the 
> first place, or it is at best very uncertain that they are. So then you cannot 
> contribute DNN-generated patches in any useful way at all.

If you have concrete legal analysis or case law that supports this claim, please share it.

thx
--
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 163 bytes --]

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

[FFmpeg-devel] Re: question about submitting security patches

[Rémi Denis-Courmont via ffmpeg-devel]

Le 11 novembre 2025 04:59:42 GMT+02:00, Michael Niedermayer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org> a écrit :
>Hi Remi
>
>On Mon, Nov 10, 2025 at 06:03:38PM +0200, Rémi Denis-Courmont via ffmpeg-devel wrote:
>> Le lauantaina 8. marraskuuta 2025, 10.34.24 Itä-Euroopan normaaliaika Thomas 
>> Dullien via ffmpeg-devel a écrit :
>> > What's the best way to submit these patches? There is the bug tracker,
>> > there is this mailing list - what's the best way to contribute them?
>> 
>> I don't think that DNN-generated patches are compatible with the LGPL in the 
>> first place, or it is at best very uncertain that they are. So then you cannot 
>> contribute DNN-generated patches in any useful way at all.
>
>If you have concrete legal analysis or case law that supports this claim, please share it.

You can check what LF, Fedora, QEMU, etc, and their lawyers already did on that front.
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org