[vlc-devel] VLC 1.0.0 release plan
rem at videolan.org
Sun Dec 7 21:33:50 CET 2008
Le dimanche 7 décembre 2008 22:16:52 Christophe Mutricy, vous avez écrit :
> > recently the biggest german speaking it site
> > http://www.heise.de/newsticker/Wieder-Luecke-in-VLC-media-player--/meldun
> >g/119685 said it is better to use another player because of all the
> > security holes in the recent times and for several years they recommended
> > vlc because it is safer than the others. systematically test for security
> > problems!
> Well the other way at looking at the situation is that people cares
> enough to report the problems and people (well, mainly Rémi) cares
> enough to publish fixed version and advisories.
> We could also choose to send such report to /dev/null and maybe people
> would think that vlc is more secure.
Or we could stop this open-source project, because it is too easy to find
vulnerabilities when the code is available for everybody to look at.
The other open-source players are just as bad. At least I think I've seen yet
more mplayer-related advisories than VLC's. Xine is not exactly perfect,
albeit quite possibly better than either of the other ones. Lets not forget
that we only got Coverity this year, whereas Xine and Mplayer both have had
it from early on.
And lets mention that so many of our users are COMPLAINING about our security
measures: not running as root, not allowing playlist options, rejecting
invalid x509 TLS certs, tightening the URL parsing, purposedly not
implementing HTTP cookies, etc. I would not be so sure about the competition.
By the way, none of this year's disclosure were remotely triggerable. On the
entirely list, only the SAP bug could theoretically spread without the user
intervening. And the SAP parser is not even enabled by default.
Notwithstanding its historical importance for the project, it is used by well
below 1% of our user base.
More information about the vlc-devel