[vlc-devel] [PATCH 9/9] lua: http: Announce the web interface over mdns

[Pierre Ynard]

> Howerver I thought we didn't want to invest much on securing the
> interface because it was meant to be explicitely enabled & password
> protected, so I'm not sure we should wait for that to happen.

It might be meant to be, but I'm afraid this might in fact be more like
wishful thinking. There are quite a few users out there fumbling their
way through preferences while experimenting with some feature or issue,
enabling random stuff without really understanding what they're doing.
Recent case in point: #25072 - HTTP streaming issue because a user
enabled the web interface while trying to set up HTTP streaming, and
now the web interface tries to run on every VLC instance they launch.
Probably forever from now on.

As for the password-protected part, it is very problematic too in
several ways.

I would also tend to disagree with your other premise and opinion. I
don't want to point fingers here. But funnily enough we're talking about
a lua feature, and saying in the same sentence "I thought we didn't want
to invest much on [doing things correctly]" and "I'm not sure we should
wait for that to happen", which has been the very object of recurring
complaint about the integration of ill-designed, unfinished, broken lua
features.

In reality the web interface has been escaping the moderate attempts at
keeping it inoffensive. Saying those attempts are sufficient sounds a
lot like rationalization. Not waiting for the requisite security before
advertising the interface would be a technical mistake.

-- 
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."