[vlc-devel] 0.8.6d Release schedule

Remi Denis-Courmont rdenis at simphalempin.com
Fri Nov 23 13:49:54 CET 2007

On Fri, 23 Nov 2007 12:51:01 +0100, Rafaël Carré <funman at videolan.org>
> Do the files really have to be served through HTTPS ?

No. What would need to be done is:
1/ authenticate the update informations, supposedly using public key
   cryptography, whereby the "VideoLAN release manager" gets the private
   and the public key is included in the player.
2/ provide file sums (e.g. SHA256) for the files to be downloaded, and
   check them after download, but before the update starts.

Note that none of these require SSL. The infos could be signed just once
every time they are updated, and served over any insecure channel.

Unfortunately, we haven't anything that looks remotely like it would be
capable of doing this in the current code (would be tricky for 0.9.0, and
pretty impossible for 0.8.6d).

> I would think:
> 	1/ Authenticate videolan.org with HTTPS
> 	2/ Look for potential updates with HTTP
> 	3/ Download them with HTTP

I don't understand.

Rémi Denis-Courmont

More information about the vlc-devel mailing list