VLC hasnt had a release tag since years, while the version on F-Droid is over a year old, but not that old.
Do you just take a random Git commit? I would ask the VLC devs to make a release tag of at least some point release, as VLC is in active development.
Would be pretty important to get a newer version I think.
MPV meanwhile has a lot of updates, but it is very minimal.
darren
August 20, 2024, 10:52pm
2
That one is also a year old. May just be their release cycle?
darren
August 21, 2024, 12:50am
4
Its the most recent official thing I could find other than their official android github page which has nothing under the releases tab. Hopefully they will wake up soon. If you are worried about vulnerabilities I’d say just uninstall and stick with MPV.
linsui
August 21, 2024, 2:23am
5
The last stable version in Tags · VideoLAN / VLC-Android · GitLab is 3.5.4 which is available on F-Droid. No idea what you mean.
That version is 1 year old
Hey, I made an account to ask you, why are there no new release tags? The release on F-Droid, as well as on your Website, are...
This is the real answer to the problem. They publish nightly APKs but somehow bind the playstore releases to their release schedule.
https://artifacts.videolan.org/vlc-android/nightly-arm64/
The Playstore breaks the Android security model by requiring the devs private signing key, which is pretty absurd. But as they dont want to drop it, they prefer to do nothing?
darren
August 22, 2024, 2:21pm
7
From a security point of view would it be better to stick with the outdated releases or switch to the latest nightly version?
The nightly has an internal updater
This has an internal downloader, but uses the Android Session Installer (I guess) so updates only work when using the same signature.
So if the nighly introduces additional security issues, these are patched quickly.
It uses way more recent dependencies, so I would say more secure.
This is the rolling release security approach, which I prefer.
People argue that unknown security issues can be introduced, but this means that the attackers need to find really new vulnerabilities.
That in comparison to a known very old version, which has not changed in over a year.