[HDThoreaun]

This is all true(maybe not the extortion being worse hard to say), but it doesnt change the fact that publishing the CVE is a demand to fix it.

[ikiris]

No, it is a notice to others that your software as-is is insecure in some way. The pre notice is again a courtesy if you want to fix it.

What you do with the notice as a dev is up to you, but responsible ones would fix it without throwing a tantrum.

Devs need to stop thinking of themselves as the main character and things get a lot more reasonable.

[saagarjha]

No, it is a request to fix it. How the maintainer feels about it is up to them.

[HDThoreaun]

A request to fix it would be privately telling the maintainers about the issue. Publicly releasing it is a demand.

[saagarjha]

This is not how filing issues against open source software works.

[HDThoreaun]

You dont get to decide that lmao. Telling everyone this project doesnt care about security if they ignore my CVE is obviously a demand and your traditions can not change that

[Dylan16807]

> Telling everyone this project doesnt care about security

Google did nothing like this.

If people infer that a hypothetical project doesn't care about security because they didn't fix anything, then they're right. It's not google's fault they're factually bad at security. Making someone look bad is not always a bad action.

Drawing attention to that decision by publicly reporting a bug is not a demand for what the decision will be. I could imagine malicious attention-getting but a bug report isn't it.

[HDThoreaun]

Bullshit. That is exactly what google is doing. Demands aren’t necessarily malicious, but they’re certainly annoying for the person being demanded.

[saagarjha]

If the FFmpeg team does not want people to file bug reports, then they should close their public issue tracker. This is not something that I decided but a choice that they made.

[walletdrainer]

CVE!=vulnerability

These two terms are not interchangeable.

Most vulnerabilities never have CVEs issued.