Bug 509619 - Review Request: srtp - Secure Real-Time Transport Protocol (SRTP) Library
Review Request: srtp - Secure Real-Time Transport Protocol (SRTP) Library
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2009-07-04 02:19 EDT by Itamar Reis Peixoto
Modified: 2010-11-22 16:09 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-01 17:41:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Itamar Reis Peixoto 2009-07-04 02:19:19 EDT
Spec URL: http://ispbrasil.com.br/srtp/srtp.spec
SRPM URL: http://ispbrasil.com.br/srtp/srtp-1.4.2-1.fc11.src.rpm
Description: 

The libSRTP library is an open source implementation of the Secure
Real-time Transport Protocol (SRTP) originally authored by Cisco
Systems, Inc.

SRTP is a security profile for RTP that adds confidentiality, message
authentication, and replay protection to that protocol. It is specified
in RFC 3711. More information about the SRTP protocol itself can be
found on the Secure RTP page.

Author:
--------
    David A. McGrew <mcgrew@cisco.com>, Cisco Systems, Inc.





l@@k -> 

http://www.callweaver.org/wiki/TCP+TLS+SRTP
https://issues.asterisk.org/view.php?id=5413


koji scratch build
http://koji.fedoraproject.org/koji/taskinfo?taskID=1453779
Comment 1 Jason Tibbitts 2009-07-11 01:54:34 EDT
It really helps if you could run rpmlint on your packages and address the output before you submit them for review.

  srtp-debuginfo.x86_64: E: empty-debuginfo-package
You should disable the debuginfo package if you don't create a main package.

  srtp-devel.x86_64: W: wrong-file-end-of-line-encoding
   /usr/share/doc/srtp-devel-1.4.2/draft-irtf-cfrg-icm-00.txt
This needs to be run through tr -d \\r or dos2unix to fix up the line endings.

In addition, I feel significant unease at a security sensitive network protocol being available only as a static library.  If a security issue is found, everything that linked against it will need to be rebuilt.  At least one distro seems to build this as a shared library:
http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg58219.html

Also, version 1.4.4 seems to be current, while you've packaged 1.4.2.
Comment 2 Itamar Reis Peixoto 2009-07-12 23:35:27 EDT
hi, I have ported the patch from pld linux to version 1.4.4 and sent it to upstream, waiting  answer  about it.
Comment 3 Itamar Reis Peixoto 2009-08-11 15:43:20 EDT
updates files here, still no answer from upstream

http://itamarjp.fedorapeople.org/srtp/srtp.spec
http://itamarjp.fedorapeople.org/srtp/srtp-1.4.4-1.fc12.src.rpm
Comment 4 Jeffrey C. Ollie 2009-11-02 15:10:16 EST
A couple of comments,

1) Asterisk won't have SRTP support until version 1.8, which won't be available for a very long time.

2) The SRTP library appears to be abandoned by upstream.  Do we really want to add another package with no upstream development?  Perhaps the Asterisk, CallWeaver, FreeSwitch, etc. developers should get together and restart upstream development.
Comment 5 nucleo 2010-03-05 13:22:47 EST
Some comments about srtp.spec.

1. Versioned shared libraries libsrtp.so.0, libsrtp.so.0.0.0 should not be in -devel. They should be in main srtp package.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Devel_Packages

2. Main srtp package should contain description. But -devel and -static package can be with description like "Development files for %{name}." or "Static files for %{name}." I think that author name should not be in description because short description of package should be there.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Summary_and_description

3. Libtool archive libsrtp.la files, should not be included.

See http://fedoraproject.org/wiki/Packaging/Guidelines#Packaging_Static_Libraries

4. I think that library version libsrtp.so.1 and libsrtp.so.1.0.0 (or may belibsrtp.so.1.4.4) will be more convenient.
Comment 6 Rakesh Pandit 2010-05-17 03:51:14 EDT
Hi Itamar,

Any updates here about Comment#4 and Comment #5 ?

Regards,
Rakesh Pandit
Comment 7 Rakesh Pandit 2010-05-24 00:09:28 EDT
Update hasn't happened since a month and I pinged last week. In case there is no update in another week I will close this as deferred.

Thanks,
Comment 8 Jeffrey C. Ollie 2010-08-02 11:36:35 EDT
What's the status of this package?  I'm starting to try and get Asterisk 1.8 built for rawhide now that F-14 has been branched off and it would be nice to enable the SRTP support.
Comment 9 Itamar Reis Peixoto 2010-08-02 12:49:01 EDT
(In reply to comment #8)
> What's the status of this package?  I'm starting to try and get Asterisk 1.8
> built for rawhide now that F-14 has been branched off and it would be nice to
> enable the SRTP support.    

Jeffrey, do you like to continue this review request ?

I am a bit busy.

also there are almost no traffic in srtp mailing list, I recommend you to try to contact srtp developers about patches.
Comment 10 Jason Tibbitts 2010-11-01 17:41:06 EDT
It seems that there's no upstream development and nobody with the time to address the review commentary, so I'm just going to close this ticket.  If Jeffrey does want to pick this up, I urge him to open his own ticket.
Comment 11 Tom "spot" Callaway 2010-11-19 14:45:19 EST
I'm probably going to pick this up, as libjingle 0.5.1 grew this as a dependency.
Comment 12 Tom "spot" Callaway 2010-11-22 16:09:25 EST
I've opened a new ticket here:
https://bugzilla.redhat.com/show_bug.cgi?id=656010

Note You need to log in before you can comment on or make changes to this bug.