[vlc-devel] Debian/Ubuntu VLC

Benjamin Drung bdrung at ubuntu.com
Mon Jul 12 22:28:59 CEST 2010 

Am Montag, den 12.07.2010, 21:54 +0300 schrieb Rémi Denis-Courmont:
> 	Hello,
> 
> I think it is fair to say that there is increasing frustration from users and 
> developers w.r.t. the state of VLC in Debian & Ubuntu. I am left wondering 
> what is the best way forward...
> 
> 1) Debian stable
> 
> Some time ago, one of the Debian Security (testing or stable, I honestly don't 
> remember) complained that the VideoLAN project security update process was 
> less than optimal. Guess what? It's been almost 3 months since we released VLC 
> 1.0.6, and still Debian Stable ships the same security holes. If we are doing 
> less than optimal, Debian Stable is doing outright PATHETIC.
> 
> 2) Ubuntu current version
> 
> Sooner or later, someone will find a security hole in VLC 1.0.6. If not for 
> security, there are known critical bugs already. For a start, the Mozilla 
> plugin just crashes. Always.
> 
> If I understand right, Reinhard considered making a PPA, whereas Benjamin 
> suggested VideoLAN make a PPA. Either way, I am concerned that this will cause 
> a flood of untraceable Apport crash reports. How are we supposed to fix that?

My suggestion was to make the PPA under the videolan Launchpad team and
add us packagers to the team. So that we can upload packages to the PPA,
too. This PPA would make user who wants the latest version happy, but
won't solve the security problem caused by the older version in the
official repositories.

> 3) Ubuntu LTS
> 
> At this point in the spacetime continuum, LTS is the current version. But what 
> should be done in a few months when it's not the case anymore?
>
> 4) Ubuntu older versions
> 
> Ubuntu happily ships VLC with known security holes. WTH?

I doubt that we can pull a new upstream version into a stable Ubuntu
release (e.g. vlc 1.1.0 in Ubuntu 10.04), because the new version breaks
the ABI of the older version and therefore break applications that uses
libvlc. The normal way for stable releases is to cherry-pick security
fixes and apply them to the older version. How much manpower do you have
to support this model? The process would be:

1. Open a bug report in Launchpad stating the security bug
2. Produce a patch that fixes the bug in the latest trunk version
3. Backport the patch against trunk to the older versions of vlc
4. Release the security update

Looking at the Ubuntu bugs, there is only one security bug reported:
https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/295464

-- 
Benjamin Drung
Ubuntu Developer (www.ubuntu.com) | Debian Maintainer (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20100712/e16707b4/attachment.sig>

More information about the vlc-devel mailing list