On Mon, 12 Jul 2010 23:22:11 +0100, Dmitrijs Ledkovs
> 2010/7/12 Rémi Denis-Courmont <r...@remlab.net>:
>> I think it is fair to say that there is increasing frustration from
>> users and developers w.r.t. the state of VLC in Debian & Ubuntu. I am
>> left wondering what is the best way forward...
>> 1) Debian stable
>> Some time ago, one of the Debian Security (testing or stable, I honestly
>> remember) complained that the VideoLAN project security update process
>> less than optimal. Guess what? It's been almost 3 months since we
> released VLC
>> 1.0.6, and still Debian Stable ships the same security holes. If we are
>> less than optimal, Debian Stable is doing outright PATHETIC.
> Ping maintainers and debian security team. Indicate the security
> issue, the patch and or new tarball.
It's not like it's not known:
It's more like nobody cares.
> Depending on severity it can either go to -security pocket or later as
> an update.
> To effectivly track the issue either a CVE number or DSA report should
> be filled.
>> 2) Ubuntu current version
>> Sooner or later, someone will find a security hole in VLC 1.0.6. If not
>> security, there are known critical bugs already. For a start, the
>> plugin just crashes. Always.
> Similar workflow. File a bug in launchpad against vlc package, mark it
> as security issue provide as much detail as you can. Ubuntu/Canonical
> security teams will review it and push to -security or -proposed
> updates -> -updates.
That solution straight from the text book does simply not work. I don't buy
the Debian/Ubuntu PR, at least not anymore.
>> 4) Ubuntu older versions
>> Ubuntu happily ships VLC with known security holes. WTH?
> In the same security bug add affects multiple ubuntu series. You can
> see the currently supported releases here
> https://wiki.ubuntu.com/Releases and you should target the security
> bug against all currently supported releases on the desktop. All of
> these still qualify for security updates.
Some of those bugs have been open just for many months. Nobody cares.
Look at this old example:
pkg-multimedia-maintainers mailing list