[vlc-devel] Debian/Ubuntu VLC

Rémi Denis-Courmont remi at remlab.net
Tue Jul 13 16:01:13 CEST 2010


On Mon, 12 Jul 2010 23:22:11 +0100, Dmitrijs Ledkovs
<dmitrij.ledkov at ubuntu.com> wrote:
> 2010/7/12 Rémi Denis-Courmont <remi at remlab.net>:
>>        Hello,
>>
>> I think it is fair to say that there is increasing frustration from
>> users and developers w.r.t. the state of VLC in Debian & Ubuntu. I am
>> left wondering what is the best way forward...
>>
>> 1) Debian stable
>>
>> Some time ago, one of the Debian Security (testing or stable, I honestly
> don't
>> remember) complained that the VideoLAN project security update process
> was
>> less than optimal. Guess what? It's been almost 3 months since we
> released VLC
>> 1.0.6, and still Debian Stable ships the same security holes. If we are
> doing
>> less than optimal, Debian Stable is doing outright PATHETIC.
>>
> 
> Ping maintainers and debian security team. Indicate the security
> issue, the patch and or new tarball.

It's not like it's not known:
http://security-tracker.debian.org/tracker/status/release/stable

It's more like nobody cares.

> Depending on severity it can either go to -security pocket or later as
> an update.
> To effectivly track the issue either a CVE number or DSA report should
> be filled.

>> 2) Ubuntu current version
>>
>> Sooner or later, someone will find a security hole in VLC 1.0.6. If not
> for
>> security, there are known critical bugs already. For a start, the
> Mozilla
>> plugin just crashes. Always.
>>
> 
> Similar workflow. File a bug in launchpad against vlc package, mark it
> as security issue provide as much detail as you can. Ubuntu/Canonical
> security teams will review it and push to -security or -proposed
> updates -> -updates.

That solution straight from the text book does simply not work. I don't buy
the Debian/Ubuntu PR, at least not anymore.

>> 4) Ubuntu older versions
>>
>> Ubuntu happily ships VLC with known security holes. WTH?
>>
> 
> In the same security bug add affects multiple ubuntu series. You can
> see the currently supported releases here
> https://wiki.ubuntu.com/Releases and you should target the security
> bug against all currently supported releases on the desktop. All of
> these still qualify for security updates.

Some of those bugs have been open just for many months. Nobody cares.
Look at this old example:
https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/295464

-- 
Rémi Denis-Courmont
http://www.remlab.net
http://fi.linkedin.com/in/remidenis




More information about the vlc-devel mailing list