[vlc-devel] Consider contrib hashing mandatory

Rémi Denis-Courmont remi at remlab.net
Tue Feb 21 09:22:16 CET 2017

On February 21, 2017 9:54:29 AM GMT+02:00, Jean-Baptiste Kempf <jb at videolan.org> wrote:
>On Mon, 20 Feb 2017, at 21:39, Rémi Denis-Courmont wrote:
>> > What should be  the policy for ffmpeg and x264 in the master branch
>> > stable) ?
>> The policy is that you can't do that.
>I don't think it is a good idea, sorry. We'll now get a weekly commit
>updating the HASH of ffmpeg and libav on master.
>Jean-Baptiste Kempf -  President
>+33 672 704 734
>vlc-devel mailing list
>To unsubscribe or modify your subscription options:

I don't think there is a reasonable alternative.

The current rules have broken dependencies because of that, and the tree becomes unusable after a while. I have already been fucked by this several time, trying to bisect old versions, only to find out that old contrib is no longer compatible with its contemporary vlc.git.

Then there is the security issue. It seems intrinsically impossible to authenticate HEAD. At best, you can use TLS and trust upstream. That is CVE and well-deserved public shaming waiting to happen.

And last, there is the legal issue. One must provide matching sources for binaries for 2 years longer than the binaries themselves. How do you do that of contribs are not reproducible?

Rémi Denis-Courmont

More information about the vlc-devel mailing list