Replace GNOME Videos with a more reliable player

• Security
  • Celluloid
    • History
    • Fake Flatpak
    • AppArmor
      • Ship it unconfined?
      • Transition plan
• Original report

Security

Celluloid

History

As of 2026-01-20:

• last DSA: 2018 (mpv)
• last CVE: 2021 (in mpv, was classified as minor and not worthy of a DSA by Debian, so we wouldn't have noticed and wouldn't have done an emergency release)

But celluloid depends on libmpv2, which itself depends on a few media decoding libraries, and that's where the problems generally are. Note, however, that it pulls way fewer such libraries than Totem + the gstreamer plugins we ship.

Fake Flatpak

See #7929 (comment 276829) and !2731. This is our most promising lead so far.

AppArmor

As of early 2026, intrigeri could not find any maintained AppArmor profile for celluloid.

There's an early draft in https://forums.gentoo.org/viewtopic-t-1129785-view-previous.html?sid=4249eff23ff02a6e8e20ffb82b91e992 that could serve as a starting point, but we would still become the (upstream) maintainers of the profile.

The Firejail profile could perhaps help us not forget some necessary permissions and relevant usage patterns.

Ship it unconfined?

The most relevant question in this context is: how many emergency releases would we avoid if we do confine celluloid with AppArmor?

Looking at dependencies, in 2025, there were only 2 relevant DSA, both against ffmpeg. Almost all of the issues fixed in there were sufficiently irrelevant to Tails' use cases (e.g. in encoder code, or about super niche formats) that we would not have done an emergency release for them. One fixed issue might have deserved an emergency release (not clear how exploitable the integer overflow was, but still)… but we had a release scheduled a few days later, so in practice we would not have done an emergency release.

And in 2024, I think none of the DSA about ffmpeg would have deserved an emergency release.

So it seems the answer is: either 0 or 1 emergency release in 1 year, depending on how lucky we are with timing. It's not that much, but likely a bigger cost, compared to the effort needed to implement an AppArmor profile, iterate until it copes with everything actual users throw at it, and maintain it.

Problem is, it'll take a while to iterate, and celluloid will break for some use cases until we've got it right.

Transition plan

1. Ship Celluloid unconfined as the default video player, keep GNOME Videos installed
   • Accept that for 6-12 months this creates a risk of having to do an emergency release due to a relevant DSA in ffmpeg or similar.
   • Users can fall back to GNOME Videos and report bugs if Celluloid breaks stuff. This is unlikely at this stage, but who knows, and we'll need the fallback option much more at step 3.
   • At the same time, start step 2:
2. Develop an AppArmor profile for Celluloid
   • During this phase we don't ship the profile in Tails.
   • For 6-12 months, as many people as possible, among the Tails Team + sajolida, use Celluloid as their default video player, with this AppArmor profile.
   • Questions:
     • Will this actually be enough testing, or are most of us mostly consuming streaming videos in a web browser or dedicated streaming client these days?
     • Where do we maintain this profile?
       • short term: tails/tails, for faster iteration
       • https://gitlab.com/apparmor/apparmor-profiles/ is mostly dead so let's not
       • longer-term: https://github.com/roddhjav/apparmor.d/ seems to be a good candidate
   • Thanks to this testing, we iterate until we're confident it does not break major use cases (caveat: we won't have tested with so many different kinds of GPUs), and then we can proceed with the next step:
3. Ship our AppArmor profile for Celluloid in Tails, enforced
   • If the AppArmor profile breaks stuff, users can fall back to Totem and report bugs.
   • Once the rate of bug reports has sufficiently slowed down, we proceed with the next step:
4. Stop shipping GNOME Videos and the packages we ship solely to make it more useful (gstreamer plugins)
5. Move our AppArmor profile to a location with collaborative maintenance and where more people can find it

Original report

_Originally created by @donis on _#7929 (Redmine)

Hi,

I would like, since a long time, to see vlc included in Tails.

Here are the main reasons why:

• vlc handles subtitles a better way. For example, it’s not possible with totem to re-synchro subtitles.
• some videos that are not browsable with totem and are only working with vlc
• see also the request #7923 (closed) by johnsmith (btw, thank you johnsmith, I was thinking to request vlc since a long time)
• vlc answers the requirements listed in the FAQ
• vlc is powerfull and well known by common users, which is good for Tails usuability

Potential cons:

• One could use package persitence. But it’s not so secure to activate and leave the persistence opened just for friends who want to watch a movie.
• vlc comes with some network features, but AFAIK, Tails does not use transparent proxy anymore, so connections should be blocked.
• vlc requires 57,0 Mo once installed, even with the option —no-install-recommends

Thank you for considering this request,
all the best
donis