[vlc-devel] Debian/Ubuntu VLC

Reinhard Tartler siretart at tauware.de
Sun Jul 18 14:56:16 UTC 2010 

On Sun, Jul 18, 2010 at 13:25:30 (CEST), Rémi Denis-Courmont wrote:

> Le dimanche 18 juillet 2010 12:00:47 Reinhard Tartler, vous avez écrit :
>> >> So this piece of information is pretty useless for identifying
>> >> missing changes in 0.8.x.
>> > 
>> > That's not my problem (anymore). We have made about twenty releases, from
>> > four different branches since Debian Stable has last updated. The
>> > VideoLAN does not have the resources to maintain four branches at a
>> > time. But, in fact, that is irrelevant because Debian does _not_ follow
>> > our updates anyway. Otherwise they would at least have 0.8.6i. So
>> > keeping the 0.8-bugfix branch alive would have been a pure waste of
>> > time.
>> 
>> TBH, I was totally unaware of the 0.8.6i release and about its changes.
>> I've just taken a look at its gitweb:
>> 
>> http://git.videolan.org/?p=vlc/vlc-0.8.git;a=shortlog;h=refs/tags/0.8.6i
>> 
>> To me, it indeed seems to be a good idea to upload this either to
>> lenny-security or lenny-proposed.
>
> It would have been a good idea two years ago. Now is a bit late. I doubt 
> anyone will ever feel so bored that (s)he would go throug the thousands of 
> changes from 0.8.6i to 1.1.0 to extract the security-relevant or whatever 
> applicable fixes.

I see.

Well, it seems to me that the 0.8.6i release is still better than we
currently have in stable, even if it is more than 2 years old. But
anyways, I take your comment as a vote that vlc in stable should be
EOL'ed with a DSA (Debian security announcement). IIRC, something
similar has already been done with iceweasel:

http://www.debian.org/security/2009/dsa-1753

>> > I am not aware of any entity (in general) following any of the older
>> > branches, 0.8, 0.9 and 1.0. I only know:
>> > - entities not updating (at all), and
>> > - entities following the very latest version.
>> > And indeed, polls for interested parties in maintaining each of the older
>> > branches have all been left without answers this far.
>> 
>> I'm not aware of neither these changes you're talking about, nor about
>> these polls. What, in your opinion, should the pkg-multimedia team, or
>> if you prefer, Debian as a project, have done to be aware of those
>> changes and the polls?
>
> Don't you already have people reading vlc-devel?

vlc-devel is a really high volume mailing list, I don't really read it.
xtophe might, but he is also upstream himself. 

Short: obviously not. Is staying up-to-date with vlc-devel a requisite
for maintaining vlc properly? Xtophe, maybe you can in future forward
such mails to our team mailinglist?

>> > Canonical puts VLC in universe, wash their hands as far support is
>> > concerned. But Debian pretends to support VLC except it does not.
>> 
>> The bottom line in both distros is the same: For both distros,
>> maintaining vlc is a community effort, and in both cases, we face the
>> similar symptoms. My hypothesis is in both cases that maintaining vlc
>> properly is too hard.
>
> The VideoLAN project maintains VLC properly as a pure community effort. 
> Contrary to Ubuntu or even indirectly Debian, we have no sponsored staff.

irrelevant for this discussion; if this is an attempt to ask for
resources from canonical, you're asking in the totally wrong place.

> Maintaining a fork of VLC, and in fact, the whole Linux ecosystem, has got to 
> be "too hard".

ubuntu strictly follows Debian packaging, and in fact, only Benjamin and
I actually touch the vlc package in ubuntu. We both also work in
pkg-multimedia. In this common package, I wouldn't consider it to be a
"fork" in the strict sense.  However we cannot easily follow updates in
stable release of both distros because of incompatible release update
policies in vlc and the distros.  But anyway, this argument really
doesn't help here.

> I doubt a dedicated "stable security team" can ever support a stable
> system for years with as many thousands packages as Debian has. If it
> were up to me, I'd decree the respective package maintainers are
> responsible for (most of the work of) stable updates.

Well, AFAIUI, many maintainers directly prepare security updates
themselves.  For vlc, this has failed in the past.

And I'm asking you *again*: What can we do so that the situation
improves? Are you evading my question? We know that we suck in this
regard, emphasizing this part from your side is probably not going to
improve the situation.


-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list