Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#57670 - [vlc] dependency corrections, minor improvements

Attached to Project: Arch Linux
Opened by Siegfried Metz (NiceGuy) - Wednesday, 28 February 2018, 01:15 GMT
Last edited by Levente Polyak (anthraxx) - Wednesday, 28 February 2018, 23:48 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Currently the PKGBUILD for vlc-3.0.0-2 has a few unnecessary dependencies and configure options.

*) portaudio: got completely removed in vlc-2.1.0[1]. Also other distributions (debian, gentoo)
have no portaudio dependency in their vlc package.

*) libgcrypt: is only necessary for the update-check[2] in vlc. Since we use the configure option
--disable-update-check and we only want pacman to handle the updates anyway,
there is no need for libgcrypt.

*) libvpx, gst-plugins-base-libs: according to Debian[3] vpx and gst-decode is satisfied by ffmpeg's libavcodec.
Either get rid of --enable-vpx and --enable-gst-decode or change it to
--disable-vpx and --disable-gst-decode.

Debian made the decision to disable libtar and schroedinger for security related problems.
Schroedinger[4] got completely removed from Debian by the end of 2016 and is no longer maintained upstream.

Maybe we can disable schroedinger too.

As of now just 2 more packages (libquicktime, gst-plugins-bad) depend upon schroedinger besides vlc,
not counting ffmpeg2.8.

The security regarding libtar: --enable-skins2 needs --enable-libtar, so it is up to you to decide.

Also a tiny improvement in the form of a new icon size (256x256) is available and
a simple change at the end of the PKGBUILD in the package() phase is enough:

for res in 16 32 48 128; do
for res in 16 32 48 128 256; do


Additional info:
* package version(s): >=vlc-3.0.0-2
This task depends upon

Closed by  Levente Polyak (anthraxx)
Wednesday, 28 February 2018, 23:48 GMT
Reason for closing:  Implemented
Additional comments about closing:  3.0.1-1
Comment by Levente Polyak (anthraxx) - Wednesday, 28 February 2018, 01:24 GMT
portaudio + libgcrypt: make sense
vpx + gst: don't see a reason not to provide them, nobody needs to install or use the plugins
libtar, schroedinger: can you show up security problems in terms of CVEs?
icon-size: makes sense
Comment by Siegfried Metz (NiceGuy) - Wednesday, 28 February 2018, 01:42 GMT
Thanks for your fast reply. Agreed vpx and gst as optional deps is ok.
Regarding the CVEs, let me have a look into it and I will report back to you.

At least the schroedinger bugs must have been severe enough for Debian to get rid of it.
Comment by Eli Schwartz (eschwartz) - Wednesday, 28 February 2018, 01:51 GMT
The actual Debian bug for getting rid of this is and

AFAICT the only references anywhere to the actual issue is:

> libschroedinger contains various possibly security relevant bugs (see #787957 for the tip of the iceberg).

Which of course links to

"tip of the iceberg" -- so happy to see they explained what they meant by that. And it doesn't look like Debian filed a CVE.
Comment by Siegfried Metz (NiceGuy) - Wednesday, 28 February 2018, 21:23 GMT
> At least the schroedinger bugs must have been severe enough for Debian to get rid of it.

I could not find any open security CVEs for both libtar and schroedinger. Here is what else I found.

libtar: is in a maintenance repository, ...
I understand why Debian disabled it in their vlc build even if no new CVE exists for it yet.
Maybe --disable-libtar combined with --enable-skins2 just removes vlc's ability for
certain kinds of custom skins and not all of them. I dunno for sure.

schroedinger: before a debian user [1], who reported possibly issues with libschroedinger,
disclosed his findings the whole Debian bug report got closed down.
Yeah, any disclosure intention got lost and no CVE or anything else got assigned.

Final reasons for Debian's removal of schroedinger:

- abandoned upstream with the last release in 2012 [2]
- last commit in 2013 [3]
- homepage disappearance (only launchpad left)
- Debian developers mentioned at [4] that:

> As replacement, ffmpeg has a decent dirac decoder and also a
> vc2 encoder, which is the intra-only subset of dirac that
> got standardized by the SMPTE.

> Note however that VC2 is only a subset of Dirac,
> so we'll definitely lose some (probably unimportant) functionality
> here.

ffmpeg project [5] followed them citing the same reasons and this commit message in 2017:

> The library has stopped being developed and Debian has removed it
> from its repositories citing security issues.
> The native Dirac decoder supports everything the library has and basic
> encoding support is still provided via the native vc2 (Dirac Pro, intra
> only version of Dirac) encoder. Hence, there's no reason to still support
> linking to the library and potentially leading users into security issues.

So, for the schroedinger replacement they used the ffmpeg internal provided alternatives.

The way I see it is that we either experiment and use ffmpeg as a replacement as well,
until someone complains or we keep everything as it is and maybe wait for
vlc version 3.1 or 4.0 and revalidate the situation.


Comment by Levente Polyak (anthraxx) - Wednesday, 28 February 2018, 23:46 GMT
- poartaudio, libgcrypt and schroedinger disabled
- vpx and gst will be enabled for now
- 256 icon added

- libtar will be kept enabled for now, please feel invited to create a separate issue for libtar and its security concerns so we can have a followup on it