[vlc-devel] Future of the update mechanism

jpd at videolan.org jpd at videolan.org
Thu Jul 30 02:05:02 CEST 2009

On Wed, Jul 29, 2009 at 06:37:20PM +0200, Felix Paul K?hne wrote:
> However, courmisch got a really good point. SSL is expensive, both  
> money and CPU-wise. If we want to get a SSL certificate anyway, "my"  
> approach might be a good idea. If not, well having a trusted SSL  
> certificate for trac, etc. would be good as our SSL connections don't  
> really make sense right now.

So what about, say, feeding a ssl implementation our self-signed (and
thus free) CA certificate that we ship with vlc to authenticate our
updates, but otherwise using a simple http fetcher to go-for an updated
installer? Could even use system supplied implementations of either

I'm not aware that ssl is much more computationally expensive than
gpg and except for the added ``pay us to trust us'' scam it has about
the same problems. Given that, and that update checks should occur
only occasionally (say, once a week or something, given our release
schedule), and perhaps don't need ssl to check for updates, I don't see
much objection against ssl itself. But that clearly only as long a setup
doesn't somehow (artificially) require a paid-for certificate.

But most importantly, I'm neither interested in defending the current
state of affairs nor in hearing why one particular alternative is
great. I want to hear about multiple alternatives including less than
immediately obviously usable ones. IE. multiple choices.

More information about the vlc-devel mailing list