IETF Logo Mail Archive

Re: [rtcweb] Cisco to open source its H.264 implementation and absorb MPEG-LA licensing fees

Daniel-Constantin Mierla <miconda@gmail.com> Thu, 12 December 2013 22:25 UTC

Return-Path: <miconda@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5864C1ADF9D for <rtcweb@ietfa.amsl.com>; Thu, 12 Dec 2013 14:25:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsV5TnnCgyLm for <rtcweb@ietfa.amsl.com>; Thu, 12 Dec 2013 14:25:47 -0800 (PST)
Received: from mail-ea0-x230.google.com (mail-ea0-x230.google.com [IPv6:2a00:1450:4013:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 11BCE1ADF52 for <rtcweb@ietf.org>; Thu, 12 Dec 2013 14:25:46 -0800 (PST)
Received: by mail-ea0-f176.google.com with SMTP id h14so534957eaj.7 for <rtcweb@ietf.org>; Thu, 12 Dec 2013 14:25:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=vi0SF232rsPSkPOibudQDT+yajkkNP2vPeTBH5mqEzQ=; b=drEmZ4BR/3jaDCXgwkPmd+pkDf+Qq1lF/shSZs7IETRuNUTYDIHhjTAw6XGekolkVW kxmqyQRzd6zXFyUonFvZxYxcxYlFoeFkDhdL/KwFzMwXdcjXTQwXnJl38Hx8BOjMUqV0 unoTuj87APchmi8AbDNJ2ClRmqVqh7aetmrt8yuHfpswyKVTccACTwwH14Q2Mu9hIRJS RJpb3FOx15SlFNfFpR/Yd9PRPnrVnVNTpSXEQieHSxiSjg92er5+jpN2HY/wsh0NME1Z 21VWe1BTb0lfa25DcWfP3LSNPQ1TQhVbDQx6jb52KOyuTiEDiybu2yD/ASHXjk6KXz94 jGig==
X-Received: by 10.14.2.73 with SMTP id 49mr10477741eee.15.1386887140536; Thu, 12 Dec 2013 14:25:40 -0800 (PST)
Received: from [127.0.0.1] (ns.asipto.com. [213.133.111.169]) by mx.google.com with ESMTPSA id h3sm70930281eem.15.2013.12.12.14.25.38 for <multiple recipients> (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Dec 2013 14:25:39 -0800 (PST)
Message-ID: <52AA37E2.1070202@gmail.com>
Date: Thu, 12 Dec 2013 23:25:38 +0100
From: Daniel-Constantin Mierla <miconda@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Thunderbird/26.0
MIME-Version: 1.0
To: Ron <ron@debian.org>, Cullen Jennings <fluffy@iii.ca>
References: <186CE8D65BA3A741A81A543F936DD0D10A5803D8@xmb-rcd-x07.cisco.com> <A672E2AB-827D-46E8-9EB1-D7ED82B10B94@cisco.com> <20131211193239.GK3245@audi.shelbyville.oz> <558F8D49-4024-4DF1-9A9E-AF422F1292C2@iii.ca> <20131212011550.GM3245@audi.shelbyville.oz> <E8882BCE-4795-4CF5-B785-18C2141A5DE2@iii.ca> <20131212183852.GN3245@audi.shelbyville.oz> <9B19C671-4356-4918-B271-D95B7AA84BBA@iii.ca> <20131212213234.GQ3245@audi.shelbyville.oz>
In-Reply-To: <20131212213234.GQ3245@audi.shelbyville.oz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Cisco to open source its H.264 implementation and absorb MPEG-LA licensing fees
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: miconda@gmail.com
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2013 22:25:49 -0000

On 12/12/13 22:32, Ron wrote:
[...]
>
>
> It does however raise a brand new problem (one which is actually quite
> technically interesting!), and I am interested to know if that was just
> a misunderstanding on your part in explaining it, or if you actually do
> plan to really solve this. [1]
>
> You talk about Mozilla fingerprinting the *source* that they verified,
> and then being able to confirm that fingerprint in the binary blob they
> download from the Cisco build farm.
>
> I had previously assumed people were only planning to take a hash of
> the binaries already up there, merely to ensure the blob that a user
> actually downloaded wasn't some totally foreign trojan, but was what
> was expected to come from the Cisco site.
>
>
> There is considerable work presently being done on fully reproducible
> binaries, since obviously this is of interest on many fronts, but it's
> currently far from being a universally (or easily) Solved Problem.
At least there were several people concerned about trusting the blob 
version being built from the open sourced code. I, as one of them, got 
the answer that I can take the code and build it on my system and then 
compare the binaries (the answer was not from Cisco, saying it just to 
be sure is not inducing anyone in error). Upon a follow up that whether 
we should expect mobile devices to be shipped with compile tools and 
devel libs soon, the reply came that cross compilation should (can) be used.

Its going aside the topic of this mailing list, but as you, I would be 
also very interested to see a solution for fingerprinting the sources 
and then matching the binary outcome from third party build systems.

Back on topic, my concern was for custom/new applications using the 
blobs. Maybe Mozilla (+ other major browsers or large companies) and 
Cisco can get to a mechanism between them that Mozilla builds the blobs 
and uploads them to Cisco. Firefox on your device will take it from 
Cisco site and compare the fingerprints. I don't think will solve all 
the security concerns, but can shift the trust relation to Mozilla, as 
between the application and its mother company (i.e., if one doesn't 
trust Mozilla, it shouldn't use bare Firefox binary in the first place).

Daniel

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

v2.23.0 | Report a Bug | By Email