Quoting Daniel Pocock (2015-11-09 14:32:51)
> As described in #770659, Chromium is having problems with the standard 
> version of libsrtp0 on jessie.

The problem it has is that it a) rely on libSRTP to provide randomness, 
and b) block the underlying calls done internally in libSRTP to get 
randomness from other sources.

> Users have been disabling the sandbox in Chromium to work around this 
> issue, hence the security tag has been used.

The very use of libSRTP is a security issue: libSRTP does *not* provide 
cryptographically secure randomness, and next major release of libSRTP 
will _stop_ offer that unreliable randomness API.

Therefore I believe the way forward with this is to get Chromium to get 
randomness via some other API than the bad libSRTP approach used now, 
and then when that is in place try backport the proper approach to the 
Chromium in Debian stable.

I do not like to change the libSRTP code in Debian stable.  The patch 
itself is tiny, but just as the very Chromium issue demonstrates, can 
nevertheless have big consequences.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply via email to