On Mon, 12 Jul 2010 23:22:11 +0100, Dmitrijs Ledkovs <[email protected]> wrote: > 2010/7/12 Rémi Denis-Courmont <[email protected]>: >> Hello, >> >> I think it is fair to say that there is increasing frustration from >> users and developers w.r.t. the state of VLC in Debian & Ubuntu. I am >> left wondering what is the best way forward... >> >> 1) Debian stable >> >> Some time ago, one of the Debian Security (testing or stable, I honestly > don't >> remember) complained that the VideoLAN project security update process > was >> less than optimal. Guess what? It's been almost 3 months since we > released VLC >> 1.0.6, and still Debian Stable ships the same security holes. If we are > doing >> less than optimal, Debian Stable is doing outright PATHETIC. >> > > Ping maintainers and debian security team. Indicate the security > issue, the patch and or new tarball.
It's not like it's not known: http://security-tracker.debian.org/tracker/status/release/stable It's more like nobody cares. > Depending on severity it can either go to -security pocket or later as > an update. > To effectivly track the issue either a CVE number or DSA report should > be filled. >> 2) Ubuntu current version >> >> Sooner or later, someone will find a security hole in VLC 1.0.6. If not > for >> security, there are known critical bugs already. For a start, the > Mozilla >> plugin just crashes. Always. >> > > Similar workflow. File a bug in launchpad against vlc package, mark it > as security issue provide as much detail as you can. Ubuntu/Canonical > security teams will review it and push to -security or -proposed > updates -> -updates. That solution straight from the text book does simply not work. I don't buy the Debian/Ubuntu PR, at least not anymore. >> 4) Ubuntu older versions >> >> Ubuntu happily ships VLC with known security holes. WTH? >> > > In the same security bug add affects multiple ubuntu series. You can > see the currently supported releases here > https://wiki.ubuntu.com/Releases and you should target the security > bug against all currently supported releases on the desktop. All of > these still qualify for security updates. Some of those bugs have been open just for many months. Nobody cares. Look at this old example: https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/295464 -- Rémi Denis-Courmont http://www.remlab.net http://fi.linkedin.com/in/remidenis _______________________________________________ pkg-multimedia-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
