LibreELEC and Kodi 17.2 Security Patch

  • I'm a long time Kodi user. Previously used Kodi on "android boxes". Got into raspberry pi about 1.5 months ago and LibreElec about 3 weeks ago. I love what you've done and are doing with LIbreElec. I also love the fact that the raspberry pi is prone to going out of date like the "android boxes" did because the OS couldn't be updated to support newer Kodi releases.

    Thanks for being on top of this LibreElec. Cheers and best wishes.

  • Just chiming in to remind people that Libreelec devs are doing this for free, in their free time. I don't think that "patch this now, my system is vulnerable! YOU HAVE THE OBLIGATION TO DO SO!"-attitude is respectful.

    Disable automatic subtitle downloading and you will be fine. Manually download subtitles from respected uploaders for now.

  • It's rude to suggest users to build it yourself while you yourself know how hard it is for an inexperienced user to build. Team LibreELEC and Team Kodi needs to care more about security issues. For now it's like: " I don't care about your issues, take care of it yourself!". Remember you have a responsibility.

    What do you mean they have a responsibility? The LE team stated that they were waiting for 17.3 which was just around the corner. Are you saying they have a responsibility to fix it faster than say 24 hours? You're forgetting that they are a small team doing this for FREE, in their spare time. Nobody said they weren't going to fix it, or that they didn't care. I have not seen any text on their website promising security updates faster than 24h.

    I'm also curious how you find it rude to suggest building? I disagree that it's so hard, simply building it is extremely easy. Knowing how to update the kodi package.mk with the correct githash might be a challenge for a novice, but I'm sure if someone were to create a thread asking how to do this they would get help. It's an open source project. They are friendly to others submitting PR's and participating. You are getting this wonderful product for FREE. I find it very disrespectful for you to call them rude. If you can do a better job, why aren't you?

    Note that although my tag says developer, I'm not a member of the team. My thoughts on this are mine alone.

  • ... building? I disagree that it's so hard, simply building it is extremely easy.

    Could be. But for some users it takes days to build :)

    It would be much easier to just prepare devel builds without warranty for people who realy needs such fixes asap. Or at least they think they need.

  • What do you mean they have a responsibility? The LE team stated that they were waiting for 17.3 which was just around the corner. Are you saying they have a responsibility to fix it faster than say 24 hours? You're forgetting that they are a small team doing this for FREE, in their spare time. Nobody said they weren't going to fix it, or that they didn't care. I have not seen any text on their website promising security updates faster than 24h.

    I'm also curious how you find it rude to suggest building? I disagree that it's so hard, simply building it is extremely easy. Knowing how to update the kodi package.mk with the correct githash might be a challenge for a novice, but I'm sure if someone were to create a thread asking how to do this they would get help. It's an open source project. They are friendly to others submitting PR's and participating. You are getting this wonderful product for FREE. I find it very disrespectful for you to call them rude. If you can do a better job, why aren't you?

    Note that although my tag says developer, I'm not a member of the team. My thoughts on this are mine alone.

    I have no issue with the 24 hours. I think it's being handled very professional and fast. I just don't like the attitude: "Go fix it yourself". You assume everyone knows how to fix it which is not true. You are saying it yourself it's an easy fix so what do you want me to do?? I'm not in charge to release any official builds.

    I still think it's the responsibility of the "Project" (not the individual developers) to care about users security. People are concerned and we should not start to use the same attitude as Team Kodi towards users.

  • vpeter

    Would probably be nice to have, I agree. But demanding it and calling people rude if you don't get it would be inappropriate.

    GDPR-1

    Nobody said that, it was stated 17.3 was on the way and one (rude) user was informed that building was a possibility. If this was a closed source product the user would have no such option. The "go fix it yourself" attitude you talk about was simply offered to someone who was not happy with the FREE work being done.

    Edited 2 times, last by escalade (May 26, 2017 at 8:23 AM).

  • I'm just saying that even though the work is done for FREE the project has a responsibility towards users even if they are rude and demand a faster fix. Test builds already exist for a couple of days. Wouldn't it be better to just give those users a test build?

    I don't like rude demands myself but I still can understand the frustration. After all the issue was fixed PR'd 28 days ago and merged 15 days ago in Kodi:

    Merge pull request #12024 from Rechi/zipTraversalKrypton · xbmc/xbmc@089bed6 · GitHub

  • Although they might have a responsibility (which they have already taken care of by working on a new version), they do not IMO have a responsibility to do it faster.

    15 days, 28 days, so? They are still a small team, and considerations needs to be taken when doing releases for thousands of users. Sure they can improve (and I'm guessing they will), but demands have no place in an open source project, nobody owes you anything.

    • Official Post

    I think our userbase is already a little spoiled. Like students in a class, they are testing the (new) teacher.

    As far as bug fixing goes, Kodi / LE plus others have responded very quickly overall. I can think of certain bugs or vulnerabiilities in operating systems that took even years to get noticed and fixed.

    LibreELEC 8.0.2 has been announced, so off you all go to the download section(s). :)

  • I think this issue was a little overblown, it was dealt with quickly and afaik there were no reports of active exploits in the wild (just a proof of concept by a researcher).

    However in the future I think Kodi is going to be a big target for malware attacks. Security is something users and devs should both keep in the forefront of their minds.