VLC package shipped by RPMFusion is missing a chain of trust with upstream developers. As exhaustively explained by Fabio Pietrosanti (naif) at VLC bugreport [1], upstream has the bad habit to ship VLC using http instead of https. You should argue that you could use GPG signing verification to avoid man in the middle attacks (proof concept against VLC upstream at [2]), but actually Fedora 25 ships[3] nightlies builds, that are not signed [4]. Instead, 2.2.6 version used to be at least signed[5], with a self signed certificate[6]. I also filled a bugreport at [7]
[1]: https://trac.videolan.org/vlc/ticket/18472 [2]: https://github.com/drego85/Why-VLC-NEED-to-enforce-HTTPS [3]: https://pkgs.rpmfusion.org/cgit/free/vlc.git/tree/vlc.spec?h=f25#n4 [4]: http://nightlies.videolan.org/build/source/ [5]: http://download.videolan.org/pub/videolan/vlc/2.2.6/ [6]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x7180713BE58D1ADC [7]: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4584 _______________________________________________ rpmfusion-developers mailing list -- [email protected] To unsubscribe send an email to [email protected]
