|
Mentioning security updates in changelogs
|
|
01-09-2012, 06:08 AM
Post: #1
|
|||
|
|||
|
Mentioning security updates in changelogs
Dear Shark007,
Quite a lot of programs not only have updates, but also have security updates (patches), every once in a while. Common updates are optional, but security patches are essential updates. For many programs security updates are specifically mentioned in the changelog. I haven't noticed any security updates mentioned in recent Shark007 Vista Codec Package or Windows 7 Codecs changelogs. I checked the changelogs for many old versions as they are still offered via FileHippo and also found no specific mentioning of security patches in Shark007 Vista Codec Package or Windows 7 Codecs. Although with the 30 December 2010 updates there was mentioned "this release contains important updates". I'm not sure if that meant they contained security patches. The Shark007 codec packs are composed of repackaged components of different origins, of which I can imagine that some have essential security patches once in a while. I guess that would mean that the Shark007 codec pack updates that use those newly patched components of different origins should be considered as essential security updates as well. But in the Shark007 changelogs I can't find any mentioning of security updates, except for "this release contains important updates", perhaps. I find that slightly worrying. Could you tell me, please, if some of the many Shark007 codec pack updates should actually be considered as essential security updates? If so, would you be so kind to specifically mention those as such in the changelogs? I think the Shark007 codec packs are wonderful. They offer a solution that I like much better than using media players like VLC media player or GOM Player, for instance, as those players quite often have serious security problems (currently two unpatched vulnerabilities in VLC media player and one in GOM player) and uninstalling VLC media player can be problematic as it integrates into WMP core components. But the lack of information about which Shark007 codec pack updates should be considered as security updates, that worries me. When I avoid media players like VLC media player and GOM Player for security reasons, I want to be sure my Shark007 codec pack is safe, and when there is a security update I need to know. Of course I could update the Shark007 codec pack with any new update you offer :-) But as you offer updates very frequently, on average more than once a week, that would be a bit much, and usually not essential for non-security updates. I would very much appreciate if you would specifically mention security updates in the Shark007 codec pack changelogs, so that users can be aware of updates that should be considered as essential. Thank you very much and best regards, Spiff |
|||
|
|
01-09-2012, 06:59 AM
Post: #2
|
|||
|
|||
|
RE: Mentioning security updates in changelogs
I'm sorry to hear that you are so insecure.
my changelogs are what they are, and I'm sorry if that does not satisfy you. I am just a man. I am not a consortium of people or a company. I share my software, for free, with those that wish to use it. BTW, I have been using computers since the 70's and I cannot think of a single security update that was ever released for a 'codec'. |
|||
|
|
01-09-2012, 08:24 AM
(This post was last modified: 01-09-2012 08:38 AM by Spiff.)
Post: #3
|
|||
|
|||
|
RE: Mentioning security updates in changelogs
Dear Shark007,
Thank you very much for your reply. And rest assured, I'm not insecure, I just like safe computing. But I'm definitely not an expert in codecs, like you are. I know very little about codecs and whether codecs or codec packs could in some way cause any vulnerabilities. I'm very happy to read that you cannot think of a single security update that was ever released for a codec. That's reassuring, thanks :-) The only 'incident' that I know of, is with K-Lite Codec Pack and ffdshow in November 2008. http://secunia.com/advisories/32881/ http://secunia.com/advisories/32846/ Also there are quite frequently security updates for FFmpeg, but I don't know if the ffmpeg.dll that is present in the Shark007 Shark007 Vista Codec Package (I don't know about the Windows 7 Codecs) has any relation with the things that are updated with the FFmpeg security updates. http://ffmpeg.org/ http://secunia.com/community/advisories/...rch=FFmpeg You wrote, "I am just a man. I am not a consortium of people or a company." I know. And I understand you can't do more than the great job you're doing. And I thank you for sharing your software. The only thing that I'd like to suggest is that when you ever notice that some component that you use for the Shark007 codec packs has been updated because of a vulnerability, you'd mention that Shark007 update as a security update, if you think that's a wise thing to do. But of course, I you never find any component that you use that has been updated because of a vulnerability, that's even better :-) Thanks very much, once more, and best regards, Spiff |
|||
|
|
|
01-16-2012, 09:09 AM
Post: #4
|
|||
|
|||
|
RE: Mentioning security updates in changelogs
In my previous post I mentioned one example of a codec related security issue, K-Lite Codec Pack and ffdshow in November 2008.
And also, I mentioned the frequent security updates released for FFmpeg and how I can't tell whether the FFmpeg code that is used with the Shark007 codec packs has any relation with the things that are updated with the FFmpeg security updates. Here are three more examples of rather recent codec related security issues that I noticed, three Microsoft codec vulnerabilities that were detected and patched in 2010: - Vulnerability in Microsoft MPEG Layer-3 Codecs http://technet.microsoft.com/en-us/secur...n/MS10-052 http://secunia.com/advisories/40934/ - Vulnerability in Cinepak Codec http://technet.microsoft.com/en-us/secur...n/MS10-055 http://secunia.com/advisories/40936/ - Vulnerability in MPEG-4 Codec http://technet.microsoft.com/en-us/secur...n/MS10-062 http://secunia.com/advisories/41395/ I suppose those Microsoft codec vulnerabilities had no relation with any external codecs. And I don't say such incidents say anything about Shark007 software or other codec packs. But those examples do show that security updates have been issued for codec related vulnerabilities. And also, as I pointed at earlier, the Shark007 software uses code of FFmpeg, frequent security updates are released for FFmpeg, but no security updates are mentioned in the Shark007 changelogs. I can't tell whether the FFmpeg code that is used with the Shark007 codec packs has any relation with the things that are updated with the FFmpeg security updates, but one would like to know. At least I would. I don't say there's anything wrong with the Shark007 software, but I still think users may need more information about whether security updates that are implemented in source-software are also integrated in the Shark007 codec packs, and whether certain Shark007 updates should be considered as security updates. I certainly don't want to annoy anyone, in particular not Shark007, but I think some discussion in this matter may be of value. I would like to invite anyone who has a constructive opinion in this matter to join the discussion. Best regards, Spiff |
|||
|
|
|
01-17-2012, 02:18 PM
Post: #5
|
|||
|
|||
| RE: Mentioning security updates in changelogs | |||
|
|
|
« Next Oldest | Next Newest »
|
Powered By MyBB, © 2002-2012 MyBB Group- Corporate by MyBBThemes - Webspace provided by MajorGeeks.com
All trademarks mentioned on this site are the property of their respective owners.
Privacy Policy - © 2008-2012 Shark007 - Legal Disclaimer