[vlc-devel] Update on the web plugins

Rémi Denis-Courmont remi at remlab.net
Wed Mar 30 23:44:29 CEST 2011


A few people have asked why Secunia has kept flagging the VLC web plugins as 
insecure for several releases (Secunia Advisory SA41810). Unfortunately, I 
believe Secunia is correct. The bug that has been disclosed quite a while ago 
regarding web plugins is still wide open. Some might argue it is not a 
security issue, rather a plain stability problem. But that is kinda 
irrelevant. It is a major bug in any case.

Now a side story: I have been a guest speaker on VLC at some small scale 
conference in Helsinki a few years ago. There were critics from the audience 
about the claimed lower quality/stability of the then latest release 
(0.9.something) compared to previous one (I guess 0.8.6). My answer then is 
sadly still valid today. Help is more than welcome.

Back to the matter. The web plugins have been mainly developed by one former 
VLC developer as part of his job (as I understand). The guy left a few years 
ago. The Mozilla and ActiveX plugins have been almost totally unmaintained 
since then, and technical debt is accumulating.

As volunteer security contact for the project, I believe I have to keep you 
aware of the situation, and issue this call for help. There you go.

Best regards,

Rémi Denis-Courmont

More information about the vlc-devel mailing list