I don't know who is right, but you claim the update needs to be signed, but eps says that it also allows the update to be signed by a key retrieved over insecure HTTP which of course can be MitM'ed. I guess the threat model includes malicious ISP's / governments, so as a user you want a clear delineation of responsibility, and have VLC either 1) use a backup master key to sign the signing key, so if the signing keys is compromised a new key can be issued from an airgapped system or 2) insist VLC retrieve the second key over HTTPS. I would prefer 1) though...
hm.. we have one of the software authors and a random by-stander arguing about the code? I know who I would bet on.
(Note that if it were a political question, then yes, opinions of any random bystander are potentially as valuable as software authors'. But it is not. I need to see a specific evidence before trusting random strangers)
I don't know who is right, but you claim the update needs to be signed, but eps says that it also allows the update to be signed by a key retrieved over insecure HTTP which of course can be MitM'ed. I guess the threat model includes malicious ISP's / governments, so as a user you want a clear delineation of responsibility, and have VLC either 1) use a backup master key to sign the signing key, so if the signing keys is compromised a new key can be issued from an airgapped system or 2) insist VLC retrieve the second key over HTTPS. I would prefer 1) though...