[vlc-devel] VLC 1.0.0 release plan

[Rémi Denis-Courmont]

Le dimanche 7 décembre 2008 22:16:52 Christophe Mutricy, vous avez écrit :
> > recently the biggest german speaking it site
> > http://www.heise.de/newsticker/Wieder-Luecke-in-VLC-media-player--/meldun
> >g/119685 said it is better to use another player because of all the
> > security holes in the recent times and for several years they recommended
> > vlc because it is safer than the others. systematically test for security
> > problems!
>
> Well the other way at looking at the situation is that people cares
> enough to report the problems and people (well, mainly Rémi) cares
> enough to publish fixed version and advisories.
>
> We could also choose to send such report to /dev/null and maybe people
> would think that vlc is more secure.

Or we could stop this open-source project, because it is too easy to find 
vulnerabilities when the code is available for everybody to look at.

The other open-source players are just as bad. At least I think I've seen yet 
more mplayer-related advisories than VLC's. Xine is not exactly perfect, 
albeit quite possibly better than either of the other ones. Lets not forget 
that we only got Coverity this year, whereas Xine and Mplayer both have had 
it from early on.

And lets mention that so many of our users are COMPLAINING about our security 
measures: not running as root, not allowing playlist options, rejecting 
invalid x509 TLS certs, tightening the URL parsing, purposedly not 
implementing HTTP cookies, etc. I would not be so sure about the competition.


By the way, none of this year's disclosure were remotely triggerable. On the 
entirely list, only the SAP bug could theoretically spread without the user 
intervening. And the SAP parser is not even enabled by default. 
Notwithstanding its historical importance for the project, it is used by well 
below 1% of our user base.

-- 
Rémi Denis-Courmont
http://git.remlab.net/cgi-bin/gitweb.cgi?p=vlc-courmisch.git;a=summary