[ting0]

Has anyone ever done a proper security audit of VLC that is downloaded from the web? I don't trust it, and the fact that their releases on Github don't include binaries makes me trust it even less. Nobody is compiling VLC from source, and they don't provide any sort of provenance from the GH actions pipeline.

[feepk]

You can find all binaries, including the one for iOS and Android, on our website, signed by the core developers. If you trust us, it is totally up to you. GitHub is used as a mirror only as we run our own infrastructure so quite obviously we are not using the GitHub release process.

[kykat]

All linux distros build VLC from source

[ohhman11]

This seems utterly pointless to worry about. You're fucked either way if you trust VLC.

[bloudermilk]

Care to elaborate?

[bzzzt]

Look at the supported formats lists. It includes so many parsers, mostly written in C, which means there probably are a few dozen ways to exploit the player.

[ohhman11]

It's downright trivial to hide a backdoor in a codebase like this.

[Cthulhu_]

Can you tell us about any prior or active incidents like that though?

That is, I'm calling you out for fearmongering, for a possible what-if, but given how popular VLC is you'd think it would've happened / is actively happening already. And there is no evidence for that.