[vlc-devel] Debian/Ubuntu VLC

Reinhard Tartler siretart at tauware.de
Sun Jul 18 18:14:26 CEST 2010

On Sun, Jul 18, 2010 at 17:23:48 (CEST), Rémi Denis-Courmont wrote:

>> And I'm asking you *again*: What can we do so that the situation
>> improves? Are you evading my question? We know that we suck in this
>> regard, emphasizing this part from your side is probably not going to
>> improve the situation.
> I DON'T KNOW? It's not up to me how Debian, Ubuntu and pkg-multimedia work.
> As already stated, nobody answered when older releases support was questioned. 
> The 1.0-bugfix branch could be reopened for security fixes as there has not 
> been any known vulnerability since 1.0.6 and 1.1.0 were released. It is 
> probably too late for stability non-security fixes though, as we've let slip 
> far too many of them.

Well, maybe this is too obvious, but it would really help if videolan's
security announcements would be a) more focused and b) much clearer in
future. If it was clear what patches are related to what VSA,
backporting them to earlier releases would be much easier to
everyone.  The last 3 VLAs all basically said "there is a problem,
please update" without any proper classification of the severity nor
what the actual change was to fix the issue. They just point to "use the
latest release" but looking at the respective bugfix branch, I see many
janitor commits interleaved with potentially related commits.

I think the biggest problem we face here is communication. It is totally
unreasonable to expect everyone to read and follow vlc. Can you please
either be more explicit with your VSAs or perhaps create a more
specialized mailing list for such issues?

> But even then, how do you plan to upgrade from 1.0.2 to 1.0.6?

I don't understand the question. Of course by preparing an upload and
uploading it!

> Or from 1.1.x in final Maverick, to 1.1.x+{1,2,...} ? VideoLAN won't
> provide one stable tree per release! We can't afford the kernel's
> luxury time-wise.

I guess 1.0-bugfix and 1.1-bugfix branches do exist, yes?  What's the

> As for 0.8.6-bugfix and 0.9-bugfix, I think it's game over for good. Hence, 
> Lenny, Hardy and Jaunty should probably drop VLC altogether.

Noted, thanks, let's see what the Debian security team thinks about this.

The packages themselves are still useable, so removing it might be a bit
too aggressive. Doing a proper EOL via security announcement channels
seems more appropriate to me, or do I miss something?

Reinhard Tartler, KeyID 945348A4

More information about the vlc-devel mailing list