[vlc-devel] Debian/Ubuntu VLC

Rémi Denis-Courmont remi at remlab.net
Fri Jul 16 10:55:02 CEST 2010

On Tue, 13 Jul 2010 10:14:52 -0400, Reinhard Tartler <siretart at tauware.de>
> On Tue, Jul 13, 2010 at 10:01:13 (EDT), Rémi Denis-Courmont wrote:
>>> Ping maintainers and debian security team. Indicate the security
>>> issue, the patch and or new tarball.
>> It's not like it's not known:
>> http://security-tracker.debian.org/tracker/status/release/stable
> it lists 4 CVEs: CVE-2010-1441 - 1445, all of them only affecting the
> 0.8 series and without any details.

My point was, the Debian Security team already knows about this, since they
have put in their tracker. That is all.

> So this piece of information is
> pretty useless for identifying missing changes in 0.8.x.

That's not my problem (anymore). We have made about twenty releases, from
four different branches since Debian Stable has last updated. The VideoLAN
does not have the resources to maintain four branches at a time. But, in
fact, that is irrelevant because Debian does _not_ follow our updates
anyway. Otherwise they would at least have 0.8.6i. So keeping the
0.8-bugfix branch alive would have been a pure waste of time.

I am not aware of any entity (in general) following any of the older
branches, 0.8, 0.9 and 1.0. I only know:
- entities not updating (at all), and
- entities following the very latest version.
And indeed, polls for interested parties in maintaining each of the older
branches have all been left without answers this far.

Canonical puts VLC in universe, wash their hands as far support is
concerned. But Debian pretends to support VLC except it does not.

>> It's more like nobody cares.
> I dont't think that's accurate. I'd rather guess that there is no one
> in the distro camp that knows how to match these 5 issues to patches
> that fix them.

Maybe people care but don't have time. But they why pretend that VLC is
supported (in Debian stable)?

Rémi Denis-Courmont

More information about the vlc-devel mailing list