Bug 509619

Summary: Review Request: srtp - Secure Real-Time Transport Protocol (SRTP) Library
Product: [Fedora] Fedora Reporter: Itamar Reis Peixoto <itamar>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: alekcejk, fedora-package-review, herrold, jeff, lemenkov, notting, rpandit, tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-01 21:41:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 201449    

Description Itamar Reis Peixoto 2009-07-04 06:19:19 UTC 
Spec URL: http://ispbrasil.com.br/srtp/srtp.spec
SRPM URL: http://ispbrasil.com.br/srtp/srtp-1.4.2-1.fc11.src.rpm
Description: 

The libSRTP library is an open source implementation of the Secure
Real-time Transport Protocol (SRTP) originally authored by Cisco
Systems, Inc.

SRTP is a security profile for RTP that adds confidentiality, message
authentication, and replay protection to that protocol. It is specified
in RFC 3711. More information about the SRTP protocol itself can be
found on the Secure RTP page.

Author:
--------
    David A. McGrew <mcgrew>, Cisco Systems, Inc.





l@@k -> 

http://www.callweaver.org/wiki/TCP+TLS+SRTP
https://issues.asterisk.org/view.php?id=5413


koji scratch build
http://koji.fedoraproject.org/koji/taskinfo?taskID=1453779
Comment 1 Jason Tibbitts 2009-07-11 05:54:34 UTC 
It really helps if you could run rpmlint on your packages and address the output before you submit them for review.

  srtp-debuginfo.x86_64: E: empty-debuginfo-package
You should disable the debuginfo package if you don't create a main package.

  srtp-devel.x86_64: W: wrong-file-end-of-line-encoding
   /usr/share/doc/srtp-devel-1.4.2/draft-irtf-cfrg-icm-00.txt
This needs to be run through tr -d \\r or dos2unix to fix up the line endings.

In addition, I feel significant unease at a security sensitive network protocol being available only as a static library.  If a security issue is found, everything that linked against it will need to be rebuilt.  At least one distro seems to build this as a shared library:
http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg58219.html

Also, version 1.4.4 seems to be current, while you've packaged 1.4.2.
Comment 2 Itamar Reis Peixoto 2009-07-13 03:35:27 UTC 
hi, I have ported the patch from pld linux to version 1.4.4 and sent it to upstream, waiting  answer  about it.
Comment 3 Itamar Reis Peixoto 2009-08-11 19:43:20 UTC 
updates files here, still no answer from upstream

http://itamarjp.fedorapeople.org/srtp/srtp.spec
http://itamarjp.fedorapeople.org/srtp/srtp-1.4.4-1.fc12.src.rpm
Comment 4 Jeffrey C. Ollie 2009-11-02 20:10:16 UTC 
A couple of comments,

1) Asterisk won't have SRTP support until version 1.8, which won't be available for a very long time.

2) The SRTP library appears to be abandoned by upstream.  Do we really want to add another package with no upstream development?  Perhaps the Asterisk, CallWeaver, FreeSwitch, etc. developers should get together and restart upstream development.
Comment 5 nucleo 2010-03-05 18:22:47 UTC 
Some comments about srtp.spec.

1. Versioned shared libraries libsrtp.so.0, libsrtp.so.0.0.0 should not be in -devel. They should be in main srtp package.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Devel_Packages

2. Main srtp package should contain description. But -devel and -static package can be with description like "Development files for %{name}." or "Static files for %{name}." I think that author name should not be in description because short description of package should be there.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Summary_and_description

3. Libtool archive libsrtp.la files, should not be included.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Packaging_Static_Libraries

4. I think that library version libsrtp.so.1 and libsrtp.so.1.0.0 (or may belibsrtp.so.1.4.4) will be more convenient.
Comment 6 Rakesh Pandit 2010-05-17 07:51:14 UTC 
Hi Itamar,

Any updates here about Comment#4 and Comment #5 ?

Regards,
Rakesh Pandit
Comment 7 Rakesh Pandit 2010-05-24 04:09:28 UTC 
Update hasn't happened since a month and I pinged last week. In case there is no update in another week I will close this as deferred.

Thanks,
Comment 8 Jeffrey C. Ollie 2010-08-02 15:36:35 UTC 
What's the status of this package?  I'm starting to try and get Asterisk 1.8 built for rawhide now that F-14 has been branched off and it would be nice to enable the SRTP support.
Comment 9 Itamar Reis Peixoto 2010-08-02 16:49:01 UTC 
(In reply to comment #8)
> What's the status of this package?  I'm starting to try and get Asterisk 1.8
> built for rawhide now that F-14 has been branched off and it would be nice to
> enable the SRTP support.    

Jeffrey, do you like to continue this review request ?

I am a bit busy.

also there are almost no traffic in srtp mailing list, I recommend you to try to contact srtp developers about patches.
Comment 10 Jason Tibbitts 2010-11-01 21:41:06 UTC 
It seems that there's no upstream development and nobody with the time to address the review commentary, so I'm just going to close this ticket.  If Jeffrey does want to pick this up, I urge him to open his own ticket.
Comment 11 Tom "spot" Callaway 2010-11-19 19:45:19 UTC 
I'm probably going to pick this up, as libjingle 0.5.1 grew this as a dependency.
Comment 12 Tom "spot" Callaway 2010-11-22 21:09:25 UTC 
I've opened a new ticket here:
https://bugzilla.redhat.com/show_bug.cgi?id=656010