VLC Update Password

[v-l-c-l-v]

Hello!
Why does the VLC 2.1.4 Update ask for a password?
I do not recall any update asking for a password before.
Cheers!

[fkuehne]

VLC never asks for passwords unless you open protected streams.

However, is it possible that you installed with a different user account or that you were not logged in to your admin account while installing the update?

[v-l-c-l-v]

Strange.
Checked for updates, was logged in as admin, as usual.
Left the Password request field blank.
Update proceeded and was successful.

[masonbrown]

Same deal here... Said yes to the update notification, then got a prompt saying "This update is locked with a password". Since I didn't have a password, I hit "Cancel". Then it went ahead and showed the Ready to Install window with the Install and Relaunch button which kicked off some weird "Finish Installation" app with a strange blue bubble icon that ran for about 20 seconds before relaunching the updated VLC.

Weird stuff that makes me a bit uncomfortable since this is noticeably different than the previous several years worth of updates but isn't mentioned in the release notes at all...

-Mason

[DeRaaf]

Same here. What's the deal? Is this a legit update or some "hacked" update?

[fkuehne]

Hello,

Let me explain what's going on here:

VLC 2.1.3 includes a new version of the internal updater, which solves a few minor bugs and allows us to prevent the "hey, I found an update" dialog from appearing during video playback. It includes an optimized version of the small app handling the replacement of the existing version with the new one. That's the blue icon appearing for a second or two (this icon is actually sparkle's icon, which the framework we are using).

When installing a new version, we are downloading and verifying the same disk-image as available from www.videolan.org. Apparently, this new version of Sparkle adds support for password-protected disk-images. While this is kind of useful, the password dialog is triggered for a small number of users in case the disk-image is not attached in time (aka "if it fails to attach, it must be password protected!" Right..). We'll remove this dialog in VLC's next update to prevent the confusion it caused. However, this fix will be part of 2.1.5 so the password dialog might also appear when updating the now current 2.1.4 version.

I hope this answers your questions.

Regarding compromised updates, note that there is a verification mechanism built-in to current releases. Only updates signed with our private key will ever be accepted. And it's very unlikely for a man-in-the-middle to get hold of that key, since it is stored on a Mac without Internet access.

[masonbrown]

Thanks for the explanation, Felix. It makes perfect sense after reading your description of what's going on. I guess I've just been working with computers far too long and have become overly paranoid of changes, particularly with a product that's been so consistent for so long.

Love VLC, have used it for years, and definitely appreciate the effort y'all put forth as well as your willingness to help put users' minds at ease by taking time to answer these forum posts!

-Mason

[jadik]

FYI, I just used the update facility on my MacBook w/Mavericks 10.9.4, upgrading from VLC v2.14. It appears this unexpected password-request behavior is still present. Felix, I appreciate your explanation, and I understand the challenges that are present. I must admit, however, that such a password request without any explanation is rather suspect. Had I not stumbled across this article & your explanation, I likely would have abandoned the update.

I certainly appreciate the efforts of you and your colleagues. Hopefully you will be able to address this glitch in the next release!
-Jadik

[eduka7]

Strange...

Today 29 jul I installed 2.1.5 update and still asking for a password...before installation...

Strange...

[kdean]

From Felix's post above: "this fix will be part of 2.1.5 so the password dialog might also appear when updating the now current 2.1.4 version."

[Pla Fundum]

@kdean:

Well, I just updated to 2.1.5 in iMac / Mavericks, and I also got the strange question. Recently I also updated a MacBook, that did NOT present the password thing.

So my paranoia also woke up.

[kdean]

Yes, upgrading to 2.1.5 can have the issue because you're still using 2.1.4 at the time. Upgrading after 2.1.5 shouldn't have the issue.

[captain]

Ah. Well, we'll find out if this got fixed when the 2.1.6 version comes out....

[Thorz]

I found this issue today when updating on the Mac from 2.1.4 (I think) to 2.2.1. I had never seen this before on Mac or Windows.
I pressed Cancel to the prompt and got the usual Install and Relaunch box. The program updated itself to 2.2.1 without problems.

Still thinks this was weird and can scare a good bunch of users I think

[dfuhrmann]

Yes, VLC 2.1.4 is the version with the faulty updater.

[sil-ber]

Just tried to update VLC player 2.1.5 (latest OS X 10.10) to the latest version and got asked this question as well regarding the locked update.

After some searching I found out, that in Sparkle version 1.6.1 this 'feature' has been removed:

https://github.com/sparkle-project/Spar ... /CHANGELOG

# 1.6.1
* Removed archive password prompt (Kornel Lesiński)
[...]

But as I can see VLC player version 2.1.5 still has Sparkle 1.5 beta implemented. Even the most up to date VLC player 2.2.2 comes only with Sparkle 1.6. And the most up to date (and secure) version of Sparkle seems to be 1.13.1 and newer. Or am I wrong?

So is it correct, that this password question during the update still can happen today?

[fkuehne]

No, we use a custom built patches version of Sparkle 1.6.1, at least since 2.2.x, maybe even before (I don't really remember).

Update: we started using Sparkle 1.6.1 on Aug 18 2014, so any older release is possibly affected by this password-bug. As you found out, this includes version 2.1.5, which was released on Jul 26 2014.

[sil-ber]

Okay, thank you for clarification! Appreciate it

so this password-prompt is kind of justified during this particular update...