Thorvald Natvig writes ("Re: mumble and celt, #682010, TC"):
> For now, the easiest is probably to re-enable Mumble to build the
> embedded CELT, something it currently does not do. That way it is just a
> single package, and we can deal with problems as they come up.Since Ron is listed as co-maintainer for mumble do you feel you have the authority to do this ? I imagine Ron would object, so you would in any case need a TC ruling to arbitrate between you. We would have to clear this approach with the release team. > Krautz, another Mumble developer, has some proof-of-concept code to > sandbox CELT using seccomp. If the CELT in Mumble was stand-alone, we > could apply this sandboxing to the local copy we have there. It is > another of the "not ready yet" solutions, but if it is needed, it will > be much easier to retrofit this inside Mumble itself than it would be to > do it in a global package. Thanks for the consideration but this is not very useful to us for Debian wheezy. But the Debian Security Team have said that while they have reservations they do not consider celt upstream to be non-release-critical. Am I right in thinking that enabling the builtin 0.7.1 alongside the other builtin versions of celt only makes the security situation worse by bugs that are in 0.7.1 but in none of the other embedded version of celt which are currently enabled ? (Which are those?) Ian. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
