XZ Utils and FFmpeg: The end of free software?

Greed, exhaustion and evil endanger free software

What happened these last few days with XZ Utils and FFmpeg generates a lot of concern about the future of free software. I realize that the title sounds like clickbait, but my intention is not to be apocalyptic or generate visits but to point out a fact that is causing concern in many observers.
Richard Stallman is a great programmer, but knowing human nature is not his thing. The free software movement requires the good will of most of the participants and that is what seems to be missing.

I'm not blaming Stallman for being successful. But, probably if the Free Software Foundation had been run by someone who knew better how the industry worked, precautions probably could have been taken to avoid these situations.

About XZ Utils and FFmpeg

As we said in the aforementioned article, XZ Utils is a compression library that most Linux distributions usually include. As the main developer was exhausted, he handed over the initiative to another developer calling himself Jian Tao. A programmer discovered that Jian Tao included code that could facilitate unauthorized access under certain circumstances. Later investigations showed that he had already attempted to do so in another project.

FFmpeg is an open source library for recording, editing and transcoding multimedia content.

In the account from the social network X of the project was published:

The xz fiasco has shown how reliance on unpaid volunteers can cause major problems. Billion-dollar companies expect free and urgent support from volunteers.
@Microsoft @MicrosoftTeams posted on a volunteer-run bug tracker that their issue is "high priority"
After politely requesting a support contract from Microsoft for long-term maintenance, they instead offered a one-time payment of a few thousand dollars.

This is unacceptable.

This is not the first time that a volunteer has created a security problem.

Heartbleed was a serious security issue for the open source OpenSSL library. This was a vulnerability that allowed attackers to read the memory of a server or client, accessing confidential information. stored in memory, such as a server's SSL private keys.

The vulnerability was introduced in a patch that a volunteer uploaded an hour before the new year. Malicious intent was not suspected at the time.

The origin of the problem

In the first two decades of this century, there was a change in the business model of technology companies specialized in solutions for large companies and organizations. Traditionally It was based on the sale of physical products. This is combined hardware and software solutions sold on physical media.

With the spread of the Internet and the popularization of the cloud, the axis of profitability shifted from the sale of physical products to the provision of services. Companies like IBM, Red Hat, Oracle and later Ubuntu built a business based on Linux and other open source products by charging for technical support. Over time, Microsoft itself had to add support for these projects to its own cloud platform.

The issue is that many of these companies benefit from free and open source software but do not contribute. Both my colleagues and I have covered the news of several projects that changed their license because they are used to make money by organizations that give nothing back in return.

That combination of exhausted developers, bad faith, government espionage and greed is creating a dangerous cocktail which can eventually lead to the end of the free software movement both due to lack of volunteers and loss of its credibility.

How to solve it?
I think that a change should be made in the licenses of both free and open source software, forcing those who obtain an economic benefit to contribute to those projects from which they benefit.

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.