[pulseaudio-discuss] Example using async API

Jeremy Visser jeremy at visser.name
Wed Oct 7 01:01:55 PDT 2009


On Tue, 2009-10-06 at 00:37 +0200, Lennart Poettering wrote:
> If you are a user then you should use tha PA version that is shipped
> with your distro. If you want a newer version, then upgrade your
> distro. If you are a developer who writes third party apps then you
> should stick to a released distro, too. But of course you should
> really make sure to run the latest one.

You know as well as I do that not everybody can run the latest
bleeding-edge distro. The reasons are the same as why you would not
recommend end-users make everyday use of the git version of Pulse.

My main concern is that of security, which is the main scenario where
you would want to update to a recent version of Pulse in a "stable"
environment. PulseAudio has not been free of security issues, and yet I
don't know of any "security-only" releases. (Please correct me if I am
wrong.)

If a security issue is discovered in Pulse, affecting several of the
latest versions, and a new version is released to correct the security
hole (as of the time of writing, that would be 0.9.19.1 or 0.9.20), then
what should those running stable distros do?

Obviously we can't update system libraries such as udev, BlueZ, etc.
when we just want the security fix. At the same time, Pulse's current
attitude towards dependencies means running the latest Pulse on the
system without upgrading much of the core will be problematic.

To say that...

On Mon, 2009-10-05 at 23:04 +0200, Lennart Poettering wrote:
> PA is pretty tightly integrated into the system. Consider it part of
> the the OS itself. So it is only feasible to update the entire OS or
> nothing at all.

...does not address the security implications of not updating, in which
not updating would lead to compromised systems (e.g. if an Adobe Flash
animation could exploit PulseAudio by playing the audio of a Vista
install disc backwards).

Is there a "best practice" or other tip you can give us to prepare for
these situations in which we really do need to upgrade?

Cheers,
Jeremy.




More information about the pulseaudio-discuss mailing list