[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#682010: [mumble] Communication failures due to CELT codec library removal

Package: tech-ctte
Severity: normal

Greetings to the technical committee.

This refers to Bug #675971 (which is severity grave, and currently closed)
against the Mumble VoIP package, which is also affected by Bug #674650
concerning the removal of the CELT library.  This evening we also just
discovered the existence of Bug #674634 which concerns the CELT library
removal as well, and which may have more of the technical story.

Summary of the technical dispute

Point of view of bug reporters (text via collaboration of two reporters):


- Mumble upstream uses and requires a particular baseline audio codec
  (CELT 0.7.1, a fairly old version), the availability of which is a
  base assumption used by most Mumble servers.

- CELT's upstream has a planned transition to the standardized Opus
  codec, and Mumble plans to follow suit, but that transition won't
  complete until all clients and servers support Opus, and that will take
  a while.  (Also, current upstream support for Opus remains a work in
  progress, and they don't have a released version with non-buggy
  support for Opus yet; the current version in Debian has some
  cherry-picked patches from upstream's VCS, but that doesn't help
  non-Debian users.)

- CELT audio Codec library has been removed from Debian by the maintainer,
  which with Mumble today is causing audio to fail outright for many public
  servers as well as several prior versions of mumble-server from Debian.
  [This has also been a problem for several other audio packages and

- On newer Mumble server versions, the audio connection fails if another
  client connects that requires using CELT, because all connected clients
  require using a common Codec.

- The newest -2 upload contains this issue.  [Mentioned because the
  maintainer reported that the -2 upload fixes the bug.]

- There is no warning in the NEWS.Debian file to warn users of the
  package that only the Opus Codec is usable and how that impacts the
  usability of the package

- The bug is repeatedly being closed by the maintainer if it was fixed,
  without discussion.  [Josh Triplett has since tagged the bug "wontfix",
  which is at least an improvement, but this RC-level bug remains closed
  as is being forced by the maintainer, which will presumably allow the -2
  package with this issue to migrate to Wheezy and release with Stable.]


- From the point of view of the bug reporters, what we want is a
  package that inter-operates with other Mumble clients and servers,
  if possible.  To do this today would require reintroducing the celt
  source package again, which is rumored to have potential security issues.
  [We have not seen any details on this yet.]

  Note: this evening we think we have found a security expert who is
  willing to audit the CELT 0.7.1 codec for issues and possibly provide
  patches, assuming this is reasonably feasible.

- Assuming an inter-operable package is not possible, as a backup what
  we want is for the bug to be handled correctly in some way, and that
  users of the package have an opportunity to be notified of what
  limitations the package has.

  Possible options:

- Leave mumble out of testing and wheezy, keep it in either unstable
  or experimental (as we would for any client-server software with an
  unstable protocol that we can't support for the lifetime of a stable
  release), reintroduce CELT library for use with Mumble with security
  warnings in the description and NEWS.Debian concerning potential issues.

- Let mumble 1.2.3-349-g315b5f5-2 migrate to testing and release with
  wheezy without the CELT library, with compatibility warnings in
  NEWS.Debian. Possibly reintroduce (or at least allow the use of) a CELT
  codec library for Mumble in Unstable or Experimental which could allow
  users to use the CELT codec library with Mumble, with a warning in
  NEWS.Debian for the celt package to warn of potential issues.

- Similar to the item above, but with the CELT library in an external

- Some other alternative we haven't thought of.

Point of view of the maintainer (as understood by reporters thus far, as
  no reply was given in several days in query for this summary):

- Someone the maintainer trusts said the CELT library contains code that
  could potentially be a crash vulnerability, among other unfixed issues

- Nobody is committing to maintaining and taking responsibility for celt
  0.7.1, or has sufficient spare time and/or the requisite knowledge to
  fully investigate this further.

- It was decided to remove the CELT library as to not burden the security
  team, and it has been an effort to get the library removed

- The mumble client that we currently have will only inter-operate with
  clients that have Opus support

- Upstream is eventually planning on dropping CELT anyway

- This isn't a bug, so it should be closed, and there is no need to warn
  users of the package


I've subscribed to the tech-ctte mailing list, so I don't need to be CCed.
We're prepared to accept any possible outcome the TC deems appropriate.


  -- Chris

Chris Knadle
GPG Key: 4096R/0x1E759A726A9FDD74

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: