Re: mumble and celt, #682010, TC

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Thorvald Natvig writes ("Re: mumble and celt, #682010, TC"):
> For now, the easiest is probably to re-enable Mumble to build the
> embedded CELT, something it currently does not do. That way it is just a
> single package, and we can deal with problems as they come up.

Since Ron is listed as co-maintainer for mumble do you feel you have
the authority to do this ?  I imagine Ron would object, so you would
in any case need a TC ruling to arbitrate between you.

We would have to clear this approach with the release team.

> Krautz, another Mumble developer, has some proof-of-concept code to
> sandbox CELT using seccomp. If the CELT in Mumble was stand-alone, we
> could apply this sandboxing to the local copy we have there. It is
> another of the "not ready yet" solutions, but if it is needed, it will
> be much easier to retrofit this inside Mumble itself than it would be to
> do it in a global package.

Thanks for the consideration but this is not very useful to us for
Debian wheezy.  But the Debian Security Team have said that while they
have reservations they do not consider celt upstream to be
non-release-critical.

Am I right in thinking that enabling the builtin 0.7.1 alongside the
other builtin versions of celt only makes the security situation worse
by bugs that are in 0.7.1 but in none of the other embedded version of
celt which are currently enabled ?  (Which are those?)

Ian.