[vlc-devel] Debian/Ubuntu VLC

Reinhard Tartler siretart at tauware.de
Sun Jul 18 09:00:47 UTC 2010 

On Fri, Jul 16, 2010 at 10:55:02 (CEST), Rémi Denis-Courmont wrote:

> On Tue, 13 Jul 2010 10:14:52 -0400, Reinhard Tartler <siretart at tauware.de>
> wrote:
>> On Tue, Jul 13, 2010 at 10:01:13 (EDT), Rémi Denis-Courmont wrote:
>> 
>>>> Ping maintainers and debian security team. Indicate the security
>>>> issue, the patch and or new tarball.
>>>
>>> It's not like it's not known:
>>> http://security-tracker.debian.org/tracker/status/release/stable
>> 
>> it lists 4 CVEs: CVE-2010-1441 - 1445, all of them only affecting the
>> 0.8 series and without any details.
>
> My point was, the Debian Security team already knows about this, since they
> have put in their tracker. That is all.

I take this as you didn't contact the team directly yet. I'm doing this
now with this mail.

Security team: It seems that you are aware of 4 CVEs, for which even an
upstream security announcement has been made.

I now wonder why is vlc in stable in such a bad shape, and I wonder if
there should be an official DSA EOL announcement about that in order to
communicate this issue to our users clearly.

[...]
>> So this piece of information is pretty useless for identifying
>> missing changes in 0.8.x.
>
> That's not my problem (anymore). We have made about twenty releases, from
> four different branches since Debian Stable has last updated. The VideoLAN
> does not have the resources to maintain four branches at a time. But, in
> fact, that is irrelevant because Debian does _not_ follow our updates
> anyway. Otherwise they would at least have 0.8.6i. So keeping the
> 0.8-bugfix branch alive would have been a pure waste of time.

TBH, I was totally unaware of the 0.8.6i release and about its changes.
I've just taken a look at its gitweb:

http://git.videolan.org/?p=vlc/vlc-0.8.git;a=shortlog;h=refs/tags/0.8.6i

To me, it indeed seems to be a good idea to upload this either to
lenny-security or lenny-proposed.

Security team, what do you think about this?

> I am not aware of any entity (in general) following any of the older
> branches, 0.8, 0.9 and 1.0. I only know:
> - entities not updating (at all), and
> - entities following the very latest version.
> And indeed, polls for interested parties in maintaining each of the older
> branches have all been left without answers this far.

I'm not aware of neither these changes you're talking about, nor about
these polls. What, in your opinion, should the pkg-multimedia team, or
if you prefer, Debian as a project, have done to be aware of those
changes and the polls?

> Canonical puts VLC in universe, wash their hands as far support is
> concerned. But Debian pretends to support VLC except it does not.

The bottom line in both distros is the same: For both distros,
maintaining vlc is a community effort, and in both cases, we face the
similar symptoms. My hypothesis is in both cases that maintaining vlc
properly is too hard.

What can we do to improve the situation?

(I'm not answering in this mail, but I'll do so in a followup.)

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list