[vlc-devel] FYI: Serious bug in old LIVE555 library versions - affecting VLC
Rémi Denis-Courmont
remi at remlab.net
Wed Nov 27 15:21:34 CET 2013
On Wed, 27 Nov 2013 03:35:36 -1000, Ross Finlayson <finlayson at live555.com>
wrote:
>> upgrading live555 to the newest version will include a lot of other
>> changes, too
>
> You say that like it's a bad thing :-)
It _is_ a bad thing for more than one reason.
- The VLC contrib system includes a secure hash of every source tarball.
This ensures that an attacker cannot replace the source code silently in a
subsequent build, and that the download was not corrupted. If you silently
change or remove the tarball, it fails.
- The library interface sometimes changes. The VLC source code cannot
magically auto-update itself; it needs to be built with a compatible
version of live555. This is even more true for the older VLC releases.
- Not all new releases are better than the older ones. Regressions do
happen. Sticking to a known good version is a feature, not a bug. (And many
new features require VLC source code changes to leverage them.)
- Some downstream distributions have strict rules on security or critical
updates. By policy, they cannot accept bulk updates.
--
Rémi Denis-Courmont
Sent from my collocated server
More information about the vlc-devel
mailing list