[vlc-devel] Debian/Ubuntu VLC

Reinhard Tartler siretart at tauware.de
Tue Jul 13 15:32:41 CEST 2010 

[sorry for the resent, it seems the CC line was wrong in the previous mail]

On Mon, Jul 12, 2010 at 14:54:53 (EDT), Rémi Denis-Courmont wrote:

> 	Hello,
>
> I think it is fair to say that there is increasing frustration from users and 
> developers w.r.t. the state of VLC in Debian & Ubuntu. I am left wondering 
> what is the best way forward...

Thanks for bringing this up. This has also bugged me for quite some
time.

> 1) Debian stable
>
> Some time ago, one of the Debian Security (testing or stable, I honestly don't 
> remember) complained that the VideoLAN project security update process was 
> less than optimal. Guess what? It's been almost 3 months since we released VLC 
> 1.0.6, and still Debian Stable ships the same security holes. If we are doing 
> less than optimal, Debian Stable is doing outright PATHETIC.

Well, small focused bugfixes would be ok for a security upload, and I
guess even for a point release, but something like updating from 0.8.6
to the 1.1 series would cause an unacceptable risk for regressions.

What we could do however is to ask the release team what they prefer:
either (of possible, lenny's ffmpeg is pretty dated) updating vlc in
stable to 1.0 or 1.1, or have it removed from stable. I guess the
release team has done that in a couple of cases so far.

> 2) Ubuntu current version
>
> Sooner or later, someone will find a security hole in VLC 1.0.6. If not for 
> security, there are known critical bugs already. For a start, the Mozilla 
> plugin just crashes. Always.
>
> If I understand right, Reinhard considered making a PPA, whereas Benjamin 
> suggested VideoLAN make a PPA. Either way, I am concerned that this will cause 
> a flood of untraceable Apport crash reports. How are we supposed to fix that?

Is there some 1.0 release branch that has these security fixes in? In
that case, we could (and should!) prepare uploads to the security pockets ASAP!

> 3) Ubuntu LTS
>
> At this point in the spacetime continuum, LTS is the current version. But what 
> should be done in a few months when it's not the case anymore?

Apply focused bug and security patches on a best efford basis.

> 4) Ubuntu older versions
>
> Ubuntu happily ships VLC with known security holes. WTH?

I think the answer is the same here: If there was some focused release
branch, there is no problem in uploading to the either -security or
-proposed.

If not, we can always provide some PPA and point people at it.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

More information about the vlc-devel mailing list