[vlc-devel] Debian/Ubuntu VLC

[Rémi Denis-Courmont]

On Mon, 12 Jul 2010 22:28:59 +0200, Benjamin Drung <bdrung at ubuntu.com>
wrote:
> I doubt that we can pull a new upstream version into a stable Ubuntu
> release (e.g. vlc 1.1.0 in Ubuntu 10.04), because the new version breaks
> the ABI of the older version and therefore break applications that uses
> libvlc.

Not true for 9.10 which ships 1.0.2, while 1.0.6 has no known security
issues.

> The normal way for stable releases is to cherry-pick security
> fixes and apply them to the older version. How much manpower do you have
> to support this model?

English is ambiguous here. *I* definitely won't spend time on 0.8 or 0.9,
and I very much doubt anyone else will.

As for 1.0, it all depends how hard specific fixes will be, which is
undecidable until shit happens.

> The process would be:

> 1. Open a bug report in Launchpad stating the security bug
> 2. Produce a patch that fixes the bug in the latest trunk version
> 3. Backport the patch against trunk to the older versions of vlc
> 4. Release the security update

Someone needs to dig the security patches out of 1.0-bugfix from 1.0.2 to
1.0.6. That's not really difficult; it's just time consuming. The VideoLAN
project is already doing that for the latest 1.0.x. We are not going to do
that for all of the 1.0.x revisions individually. If distribution FOOBAR
decides to fork the maintenance process, then that's FOOBAR's problem. And
when FOOBAR does not stand up to its own process, you get pathetic results
like VLC in Debian Stable.

We are already sorting Ubuntu VLC bug reports, made 1.0.6 more or less only
for Ubuntu LTS, report security issues in your bug tracker. Where does this
stop? We're _not_ paid.

> Looking at the Ubuntu bugs, there is only one security bug reported:
> https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/295464

-- 
Rémi Denis-Courmont
http://www.remlab.net
http://fi.linkedin.com/in/remidenis