[vlc-devel] Debian/Ubuntu VLC

Dmitrijs Ledkovs dmitrij.ledkov at ubuntu.com
Tue Jul 13 00:22:11 CEST 2010

2010/7/12 Rémi Denis-Courmont <remi at remlab.net>:
>        Hello,
> I think it is fair to say that there is increasing frustration from users and
> developers w.r.t. the state of VLC in Debian & Ubuntu. I am left wondering
> what is the best way forward...
> 1) Debian stable
> Some time ago, one of the Debian Security (testing or stable, I honestly don't
> remember) complained that the VideoLAN project security update process was
> less than optimal. Guess what? It's been almost 3 months since we released VLC
> 1.0.6, and still Debian Stable ships the same security holes. If we are doing
> less than optimal, Debian Stable is doing outright PATHETIC.

Ping maintainers and debian security team. Indicate the security
issue, the patch and or new tarball.
Depending on severity it can either go to -security pocket or later as
an update.
To effectivly track the issue either a CVE number or DSA report should
be filled.

> 2) Ubuntu current version
> Sooner or later, someone will find a security hole in VLC 1.0.6. If not for
> security, there are known critical bugs already. For a start, the Mozilla
> plugin just crashes. Always.

Similar workflow. File a bug in launchpad against vlc package, mark it
as security issue provide as much detail as you can. Ubuntu/Canonical
security teams will review it and push to -security or -proposed
updates -> -updates.

> If I understand right, Reinhard considered making a PPA, whereas Benjamin
> suggested VideoLAN make a PPA. Either way, I am concerned that this will cause
> a flood of untraceable Apport crash reports. How are we supposed to fix that?

Currently apport crash reports can not be filed against packages from
ppa. Apport will not do them =( So there won't be any apport crash
reports from ppa.

It doesn't matter who creates the ppa as long as it is maintained
continiously users will pick it up and it will show up on the
launchpad.net/ubuntu/+source/vlc page when clicking search for other

> 3) Ubuntu LTS
> At this point in the spacetime continuum, LTS is the current version. But what
> should be done in a few months when it's not the case anymore?

Security issues should be filed as described before. To include of the
bat a new version of vlc with features make sure new vlc is in newer
release and then propose a backport as described on
https://help.ubuntu.com/community/UbuntuBackports Then newer version
of vlc will be included in e.g. Lucid.

Alternativly you can provide a ppa for all releases you seem fit. In
the near future there are plans to allow post-release updates via
"blessed" ppa's via Software Centre..... but these are vague plans
right now =) wait until 10.10 or 11.04 to see how that will turn out.
PPA is the quickest of the two delivery methods.

> 4) Ubuntu older versions
> Ubuntu happily ships VLC with known security holes. WTH?

In the same security bug add affects multiple ubuntu series. You can
see the currently supported releases here
https://wiki.ubuntu.com/Releases and you should target the security
bug against all currently supported releases on the desktop. All of
these still qualify for security updates.

> --
> Rémi Denis-Courmont
> http://www.remlab.net/
> http://fi.linkedin.com/in/remidenis
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> http://mailman.videolan.org/listinfo/vlc-devel
> _______________________________________________
> pkg-multimedia-maintainers mailing list
> pkg-multimedia-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

More information about the vlc-devel mailing list