On Sun, Jul 18, 2010 at 17:23:48 (CEST), Rémi Denis-Courmont wrote: >> And I'm asking you *again*: What can we do so that the situation >> improves? Are you evading my question? We know that we suck in this >> regard, emphasizing this part from your side is probably not going to >> improve the situation. > > I DON'T KNOW? It's not up to me how Debian, Ubuntu and pkg-multimedia work. > > As already stated, nobody answered when older releases support was > questioned. > The 1.0-bugfix branch could be reopened for security fixes as there has not > been any known vulnerability since 1.0.6 and 1.1.0 were released. It is > probably too late for stability non-security fixes though, as we've let slip > far too many of them.
Well, maybe this is too obvious, but it would really help if videolan's security announcements would be a) more focused and b) much clearer in future. If it was clear what patches are related to what VSA, backporting them to earlier releases would be much easier to everyone. The last 3 VLAs all basically said "there is a problem, please update" without any proper classification of the severity nor what the actual change was to fix the issue. They just point to "use the latest release" but looking at the respective bugfix branch, I see many janitor commits interleaved with potentially related commits. I think the biggest problem we face here is communication. It is totally unreasonable to expect everyone to read and follow vlc. Can you please either be more explicit with your VSAs or perhaps create a more specialized mailing list for such issues? > But even then, how do you plan to upgrade from 1.0.2 to 1.0.6? I don't understand the question. Of course by preparing an upload and uploading it! > Or from 1.1.x in final Maverick, to 1.1.x+{1,2,...} ? VideoLAN won't > provide one stable tree per release! We can't afford the kernel's > luxury time-wise. I guess 1.0-bugfix and 1.1-bugfix branches do exist, yes? What's the problem? > As for 0.8.6-bugfix and 0.9-bugfix, I think it's game over for good. Hence, > Lenny, Hardy and Jaunty should probably drop VLC altogether. Noted, thanks, let's see what the Debian security team thinks about this. The packages themselves are still useable, so removing it might be a bit too aggressive. Doing a proper EOL via security announcement channels seems more appropriate to me, or do I miss something? -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers