Bug 509619 - Review Request: srtp - Secure Real-Time Transport Protocol (SRTP) Library
Summary: Review Request: srtp - Secure Real-Time Transport Protocol (SRTP) Library
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: FE-DEADREVIEW
TreeView+ depends on / blocked
 
Reported: 2009-07-04 06:19 UTC by Itamar Reis Peixoto
Modified: 2010-11-22 21:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-01 21:41:06 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Itamar Reis Peixoto 2009-07-04 06:19:19 UTC
Spec URL: http://ispbrasil.com.br/srtp/srtp.spec
SRPM URL: http://ispbrasil.com.br/srtp/srtp-1.4.2-1.fc11.src.rpm
Description: 

The libSRTP library is an open source implementation of the Secure
Real-time Transport Protocol (SRTP) originally authored by Cisco
Systems, Inc.

SRTP is a security profile for RTP that adds confidentiality, message
authentication, and replay protection to that protocol. It is specified
in RFC 3711. More information about the SRTP protocol itself can be
found on the Secure RTP page.

Author:
--------
    David A. McGrew <mcgrew>, Cisco Systems, Inc.





l@@k -> 

http://www.callweaver.org/wiki/TCP+TLS+SRTP
https://issues.asterisk.org/view.php?id=5413


koji scratch build
http://koji.fedoraproject.org/koji/taskinfo?taskID=1453779

Comment 1 Jason Tibbitts 2009-07-11 05:54:34 UTC
It really helps if you could run rpmlint on your packages and address the output before you submit them for review.

  srtp-debuginfo.x86_64: E: empty-debuginfo-package
You should disable the debuginfo package if you don't create a main package.

  srtp-devel.x86_64: W: wrong-file-end-of-line-encoding
   /usr/share/doc/srtp-devel-1.4.2/draft-irtf-cfrg-icm-00.txt
This needs to be run through tr -d \\r or dos2unix to fix up the line endings.

In addition, I feel significant unease at a security sensitive network protocol being available only as a static library.  If a security issue is found, everything that linked against it will need to be rebuilt.  At least one distro seems to build this as a shared library:
http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg58219.html

Also, version 1.4.4 seems to be current, while you've packaged 1.4.2.

Comment 2 Itamar Reis Peixoto 2009-07-13 03:35:27 UTC
hi, I have ported the patch from pld linux to version 1.4.4 and sent it to upstream, waiting  answer  about it.

Comment 3 Itamar Reis Peixoto 2009-08-11 19:43:20 UTC
updates files here, still no answer from upstream

http://itamarjp.fedorapeople.org/srtp/srtp.spec
http://itamarjp.fedorapeople.org/srtp/srtp-1.4.4-1.fc12.src.rpm

Comment 4 Jeffrey C. Ollie 2009-11-02 20:10:16 UTC
A couple of comments,

1) Asterisk won't have SRTP support until version 1.8, which won't be available for a very long time.

2) The SRTP library appears to be abandoned by upstream.  Do we really want to add another package with no upstream development?  Perhaps the Asterisk, CallWeaver, FreeSwitch, etc. developers should get together and restart upstream development.

Comment 5 nucleo 2010-03-05 18:22:47 UTC
Some comments about srtp.spec.

1. Versioned shared libraries libsrtp.so.0, libsrtp.so.0.0.0 should not be in -devel. They should be in main srtp package.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Devel_Packages

2. Main srtp package should contain description. But -devel and -static package can be with description like "Development files for %{name}." or "Static files for %{name}." I think that author name should not be in description because short description of package should be there.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Summary_and_description

3. Libtool archive libsrtp.la files, should not be included.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Packaging_Static_Libraries

4. I think that library version libsrtp.so.1 and libsrtp.so.1.0.0 (or may belibsrtp.so.1.4.4) will be more convenient.

Comment 6 Rakesh Pandit 2010-05-17 07:51:14 UTC
Hi Itamar,

Any updates here about Comment#4 and Comment #5 ?

Regards,
Rakesh Pandit

Comment 7 Rakesh Pandit 2010-05-24 04:09:28 UTC
Update hasn't happened since a month and I pinged last week. In case there is no update in another week I will close this as deferred.

Thanks,

Comment 8 Jeffrey C. Ollie 2010-08-02 15:36:35 UTC
What's the status of this package?  I'm starting to try and get Asterisk 1.8 built for rawhide now that F-14 has been branched off and it would be nice to enable the SRTP support.

Comment 9 Itamar Reis Peixoto 2010-08-02 16:49:01 UTC
(In reply to comment #8)
> What's the status of this package?  I'm starting to try and get Asterisk 1.8
> built for rawhide now that F-14 has been branched off and it would be nice to
> enable the SRTP support.    

Jeffrey, do you like to continue this review request ?

I am a bit busy.

also there are almost no traffic in srtp mailing list, I recommend you to try to contact srtp developers about patches.

Comment 10 Jason Tibbitts 2010-11-01 21:41:06 UTC
It seems that there's no upstream development and nobody with the time to address the review commentary, so I'm just going to close this ticket.  If Jeffrey does want to pick this up, I urge him to open his own ticket.

Comment 11 Tom "spot" Callaway 2010-11-19 19:45:19 UTC
I'm probably going to pick this up, as libjingle 0.5.1 grew this as a dependency.

Comment 12 Tom "spot" Callaway 2010-11-22 21:09:25 UTC
I've opened a new ticket here:
https://bugzilla.redhat.com/show_bug.cgi?id=656010


Note You need to log in before you can comment on or make changes to this bug.