[vlc-devel] [PATCH 2/2] playlist/fetcher: do not ignore metadata scope when downloading art

Rémi Denis-Courmont remi at remlab.net
Sun Dec 11 13:02:55 CET 2016 

Le sunnuntaina 11. joulukuuta 2016, 12.34.26 EET Filip Roséen a écrit :
> Hi Pierre,
> 
> On 2016-12-11 05:28, Pierre wrote:
> > > I cannot see any other way to interpret the flag, and the intent has
> > > always been to block metadata lookup and access for the desribed set
> > > of entities (when the flag is enabled).
> > 
> > I disagree, the intent has been to prevent privacy leaks through
> > metadata lookup and access. Metadata lookup and access that don't
> > cause privacy leaks (e.g. getting the associated art from the same
> > video website that is already getting queried) are a grey area of
> > interpretation that you're now denying.
> 
>  - Exactly what is it that I am *"now denying"*?
> 
> I honestly cannot read `--no-network-metadata-access` and see your
> point, if it was meant to block *metadata lookups*; why is it not
> named `--no-network-metadata-lookup`?

First, I don´t see the problem. The metadata is the album art URL, not the 
resource that the URL represents.

Second, the difference between asking a third party for metadata and 
retrieving a known resource from the second party is clear.

And third, album art retrieval used to have its own "album-art" tristate.
It´s rich of a VideoLabs employee to argue that the policy should be changed 
because another VideoLabs employee changed the settings name.

> > Meta lua scripts have an explicit privacy scope, and their output can be
> > more or less trusted. The output of lua website demuxers can be trusted
> > and have no privacy impact. I'm not aware of any protection in other
> > demuxers from untrusted art URLs, nor from privacy leaks they might
> > incur.
> 
> Demuxers generally do not download any metadata, that happens in the
> affected code-path which the original patch modified.

That is completely irrelevant. Demuxers (and previously stream filters) 
routinely fetch referred resources automatically from the network. From a 
privacy and security point of view, this is no better or worse than fetching a 
cover.

Adaptive is a prime example of that.

If you want to prevent VLC from using the network, then firewall it. I cannot 
see any sense for the sake of privacy in blocking the art fetcher, but letting 
other forms of automatic network access.

-- 
Rémi Denis-Courmont
https://www.remlab.net/

More information about the vlc-devel mailing list