Package: tech-ctte Severity: normal Greetings to the technical committee. This refers to Bug #675971 (which is severity grave, and currently closed) against the Mumble VoIP package, which is also affected by Bug #674650 concerning the removal of the CELT library. This evening we also just discovered the existence of Bug #674634 which concerns the CELT library removal as well, and which may have more of the technical story. Summary of the technical dispute ================================ Point of view of bug reporters (text via collaboration of two reporters): Background: ---------- - Mumble upstream uses and requires a particular baseline audio codec (CELT 0.7.1, a fairly old version), the availability of which is a base assumption used by most Mumble servers. - CELT's upstream has a planned transition to the standardized Opus codec, and Mumble plans to follow suit, but that transition won't complete until all clients and servers support Opus, and that will take a while. (Also, current upstream support for Opus remains a work in progress, and they don't have a released version with non-buggy support for Opus yet; the current version in Debian has some cherry-picked patches from upstream's VCS, but that doesn't help non-Debian users.) - CELT audio Codec library has been removed from Debian by the maintainer, which with Mumble today is causing audio to fail outright for many public servers as well as several prior versions of mumble-server from Debian. [This has also been a problem for several other audio packages and maintainers.] - On newer Mumble server versions, the audio connection fails if another client connects that requires using CELT, because all connected clients require using a common Codec. - The newest -2 upload contains this issue. [Mentioned because the maintainer reported that the -2 upload fixes the bug.] - There is no warning in the NEWS.Debian file to warn users of the package that only the Opus Codec is usable and how that impacts the usability of the package - The bug is repeatedly being closed by the maintainer if it was fixed, without discussion. [Josh Triplett has since tagged the bug "wontfix", which is at least an improvement, but this RC-level bug remains closed as is being forced by the maintainer, which will presumably allow the -2 package with this issue to migrate to Wheezy and release with Stable.] Desired: ------- - From the point of view of the bug reporters, what we want is a package that inter-operates with other Mumble clients and servers, if possible. To do this today would require reintroducing the celt source package again, which is rumored to have potential security issues. [We have not seen any details on this yet.] Note: this evening we think we have found a security expert who is willing to audit the CELT 0.7.1 codec for issues and possibly provide patches, assuming this is reasonably feasible. - Assuming an inter-operable package is not possible, as a backup what we want is for the bug to be handled correctly in some way, and that users of the package have an opportunity to be notified of what limitations the package has. Possible options: ---------------- - Leave mumble out of testing and wheezy, keep it in either unstable or experimental (as we would for any client-server software with an unstable protocol that we can't support for the lifetime of a stable release), reintroduce CELT library for use with Mumble with security warnings in the description and NEWS.Debian concerning potential issues. - Let mumble 1.2.3-349-g315b5f5-2 migrate to testing and release with wheezy without the CELT library, with compatibility warnings in NEWS.Debian. Possibly reintroduce (or at least allow the use of) a CELT codec library for Mumble in Unstable or Experimental which could allow users to use the CELT codec library with Mumble, with a warning in NEWS.Debian for the celt package to warn of potential issues. - Similar to the item above, but with the CELT library in an external repository. - Some other alternative we haven't thought of. Point of view of the maintainer (as understood by reporters thus far, as no reply was given in several days in query for this summary): - Someone the maintainer trusts said the CELT library contains code that could potentially be a crash vulnerability, among other unfixed issues - Nobody is committing to maintaining and taking responsibility for celt 0.7.1, or has sufficient spare time and/or the requisite knowledge to fully investigate this further. - It was decided to remove the CELT library as to not burden the security team, and it has been an effort to get the library removed - The mumble client that we currently have will only inter-operate with clients that have Opus support - Upstream is eventually planning on dropping CELT anyway - This isn't a bug, so it should be closed, and there is no need to warn users of the package ================================ I've subscribed to the tech-ctte mailing list, so I don't need to be CCed. We're prepared to accept any possible outcome the TC deems appropriate. Thanks. -- Chris -- Chris Knadle Chris.Knadle@coredump.us GPG Key: 4096R/0x1E759A726A9FDD74
Attachment:
signature.asc
Description: This is a digitally signed message part.