Well, it seems to happen. For example, if you get an infected file from a friend by mail. But VLC was just a (prominent) example. Obiously many other packages are also (potentially) affected.



As said in another post, the risk is probably manageable for the time being. My point was that Canonical basically promises a set and forget for the next 5 years approach - but that promise is only valid for a limited number of packages, and most users are not really aware of that. In other words, a divergence between ambitions and reality. If I chose an LTS distro I expect that known vulnerabilities will be fixed until the end of life of that release. It's that simple.

Click to expand...