Hi On Tue, Jun 12, 2012 at 8:19 PM, Ron <ron@xxxxxxxxxx> wrote: > On Tue, Jun 12, 2012 at 06:30:36PM +0200, Marc-André Lureau wrote: >> Hi >> >> On Tue, Jun 12, 2012 at 5:35 PM, Ron <ron@xxxxxxxxxx> wrote: >> > The bitstream has been frozen for just a tad under a year now. >> >> I don't know how you can claim that: http://www.opus-codec.org/downloads/ >> >> The bit-stream has not changed, except for some corner cases that are >> unlikely to happen in the real world. >> [ ] opus-0.9.9.tar.gz 18-Feb-2012 >> 16:20 710K > > Which part of "The bit-stream has not changed" is unclear? > > The qualifier there I believe is a reference to this commit: > > Fixes the code for optional self-delimited packing to make it fit the draft. > This has no impact on opus_demo, test vectors, or "normal" codec operation. > > Since support for that packing mode is declared to be OPTIONAL in the > standard (their caps not mine :), anything which might use it cannot > expect to actually be interoperable with a compliant decoder anyhow. > > If "unlikely to happen in the real world" was not an extremely conservative > estimate of the real impact, then strictly preserving the bitstream would > have won hands down at that point in time, without any doubt at all. > >> If it is, can you point to an official release note stating it clearly >> "bitstream is frozen" or compatible with any further release? > > More official than the codec working group declaring it to be in its > finally frozen form, or the codec specification being submitted to and > approved by the IESG for publication? You keep refering to standards, while I am talking about what we can actually rely on, the implementation. >> This is not helping, we have implementations not really frozen. > > Who is "we" here? The community, at large. The people who actually use and distribute this code. > I *absolutely* would not have pushed a copy of this to Debian for people > to use if there was anything short of an ASTRONOMICALLY SMALL chance of > there still being a bitstream change. (my caps this time, I'm serious > about that. It's not going to happen while the upstream developers > draw breath to stab anybody who might try). We just need an opus implementation to say clearly that it will be bit-stream compatible with future releases. Not play with chances. >> Since no releases happened recently, I assume no security issues are known. > > That's an interesting assumption ... Isn't it how security works? It's safe until it's proven it's no longer, isn't it? > Here's another, that is actually a little more grounded in what the people > who might actually make those releases have actually been focussed on: > > No releases happened because *nobody* is looking at celt 0.5.1 at all, let Spice depends on celt 0.5.1, people do care. > What is your plan to confirm or deny 0.5.1 is affected by the problems that > he found and fixed in later versions? I am not saying it's not without problems. But if something is serious, the Spice project will certainly drop celt 0.5.1 support or fix it. If Spice should drop celt 0.5.1 support altogether for security reasons, a bunch of people would be interested to know. > You could just wait for the news of a live exploit actually doing the rounds, > but I personally wouldn't want to trust my own systems to that plan. I am no security expert, but even if we would make a security audit, there would still be chances an exploit be found. Rushing into using new libraries isn't going to magically make security issues disappear. > I'm not particularly interested in arguing with someone who has already made > up their mind and for whom facts are just annoying details to handwave away. > But if you're actually interested in the facts, I'm happy to help answer any > questions that you or the rest of the spice team might have. I have not made up my mind, but my points are: - spice depends on 0.5.1 of celt, and for quite some time (several years), so security issues should be addressed - xiph opus implementation doesn't guarantee bit-stream compatibility yet, according to release log > It's your decision what you do with spice. But saying "Opus isn't ready yet" > is simply not true. You may have other reasons not to use it, but that isn't > one of them that stands up to genuine scrutiny. Personally, I would be glad to have opus support once there is an implementation the spice server can rely on. Even when opus support will be added, celt 0.5.1 will continue to be maintained unless we drop audio support for older releases. regards -- Marc-André Lureau _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel