Public bug reported: [Availability] The package dbus-broker is already in Ubuntu universe. The package dbus-broker build for the architectures it is designed to work on. It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/dbus-broker
[Rationale] - The package dbus-broker is required in Ubuntu main to replace dbus-daemon. - The package dbus-broker will generally from server to desktop. - Package dbus-broker covers the same use case as dbus-daemon but is a better alternative for the reason described in https://dvdhrm.github.io/rethinking-the-dbus-message-bus/. Other distributions are using it for years, Fedora for example, https://fedoraproject.org/wiki/Changes/DbusBrokerAsTheDefaultDbusImplementation - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - The package dbus-broker is required in Ubuntu main no later than august due to FF, ideally we would like land it earlier in the cycle [Security] - Had 2 security issues in the past 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 https://ubuntu.com/security/CVE-2022-31212 https://security-tracker.debian.org/tracker/CVE-2022-31212 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31213 https://ubuntu.com/security/CVE-2022-31213 https://security-tracker.debian.org/tracker/CVE-2022-31212 Those reports seem to have been fixed in timelined fashion upstream. The issues are resolved in Ubuntu in series > Kinetic - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does install services, timers or recurring jobs /lib/systemd/system/dbus-broker.service /usr/lib/systemd/user/dbus-broker.service The system unit use the following systemd security features OOMScoreAdjust=-900 LimitNOFILE=16384 ProtectSystem=full PrivateTmp=true PrivateDevices=true - Packages does not open privileged ports (ports < 1024) - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar- amd64.dbus-broker_33-1_BUILDING.txt.gz Ok: 46 Expected Fail: 0 Fail: 0 Unexpected Pass: 0 Skipped: 0 Timeout: 0 - The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, i386, ppc64el, riscv64, s390x https://autopkgtest.ubuntu.com/packages/dbus-broker - The package does have not failing autopkgtests right now - The autopkgtest is the running the upstream testsuite so is not trivial [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer since it's in sync from Debian - The package has no lintian warnings # lintian --pedantic # - Please link to a recent build log of the package https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar-amd64.dbus-broker_33-1_BUILDING.txt.gz `lintian --pedantic` as an extra post to this bug. - Lintian overrides are present # dbus-broker only supports systemd dbus-broker: maintainer-script-calls-systemctl dbus-broker: package-supports-alternative-init-but-no-init.d-script [lib/systemd/system/dbus-broker.service] # need to override dh_installsystemd dbus-broker: maintainer-script-empty [prerm] dbus-broker: maintainer-script-ignores-errors [prerm] # matches dbus-daemon package, activated by socket dbus-broker: systemd-service-file-missing-install-key [lib/systemd/system/dbus-broker.service] Those have to do with the fact that package is set to work only with systemd, that's not an issue in Ubuntu since we don't support alternative init systems anyway Also the service shouldn't be stopped on package removal to avoid seeing the user session close https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980541 - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, https://salsa.debian.org/utopia- team/dbus-broker/-/blob/debian/sid/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Teams will be foundations and desktop - desktop-packages is already subscribed to the package, we will get foundations added - This does not use static builds - This does not use vendored code - This package is not rust based - The package successfully built during the most recent test rebuild [Background information] The Package description explains the package well Upstream Name is dbus-broker Link to upstream project https://github.com/bus1/dbus-broker The apparmor integration patch in review upstream on https://github.com/bus1/dbus-broker/pull/286 has got a +1 from our security team, we will include the change either by distro patching or through a newer upstream version since that's required for our confinement story, especially in snaps. ** Affects: dbus-broker (Ubuntu) Importance: Undecided Status: New ** Description changed: [Availability] The package dbus-broker is already in Ubuntu universe. The package dbus-broker build for the architectures it is designed to work on. It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x - Link to package [[https://launchpad.net/ubuntu/+source/dbus-broker|dbus-broker]] + Link to package https://launchpad.net/ubuntu/+source/dbus-broker [Rationale] - The package dbus-broker is required in Ubuntu main to replace dbus-daemon. - The package dbus-broker will generally from server to desktop. - Package dbus-broker covers the same use case as dbus-daemon but is a better alternative for the reason described in https://dvdhrm.github.io/rethinking-the-dbus-message-bus/. Other distributions are using it for years, Fedora for example, https://fedoraproject.org/wiki/Changes/DbusBrokerAsTheDefaultDbusImplementation - There is no other/better way to solve this that is already in main or - should go universe->main instead of this. + should go universe->main instead of this. - The package dbus-broker is required in Ubuntu main no later than august due to FF, ideally we would like land it earlier in the cycle [Security] - Had 2 security issues in the past 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31212 https://ubuntu.com/security/CVE-2022-31212 https://security-tracker.debian.org/tracker/CVE-2022-31212 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31213 https://ubuntu.com/security/CVE-2022-31213 https://security-tracker.debian.org/tracker/CVE-2022-31212 Those reports seem to have been fixed in timelined fashion upstream. The issues are resolved in Ubuntu in series > Kinetic - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does install services, timers or recurring jobs /lib/systemd/system/dbus-broker.service /usr/lib/systemd/user/dbus-broker.service - The system unit use the following systemd security features + The system unit use the following systemd security features OOMScoreAdjust=-900 LimitNOFILE=16384 ProtectSystem=full PrivateTmp=true PrivateDevices=true - Packages does not open privileged ports (ports < 1024) - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails - it makes the build fail + it makes the build fail https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar- amd64.dbus-broker_33-1_BUILDING.txt.gz - Ok: 46 - Expected Fail: 0 - Fail: 0 - Unexpected Pass: 0 - Skipped: 0 - Timeout: 0 + Ok: 46 + Expected Fail: 0 + Fail: 0 + Unexpected Pass: 0 + Skipped: 0 + Timeout: 0 - The package runs an autopkgtest, and is currently passing on - amd64, arm64, armhf, i386, ppc64el, riscv64, s390x + amd64, arm64, armhf, i386, ppc64el, riscv64, s390x https://autopkgtest.ubuntu.com/packages/dbus-broker - The package does have not failing autopkgtests right now - The autopkgtest is the running the upstream testsuite so is not trivial [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer since it's in sync from Debian - The package has no lintian warnings # lintian --pedantic # - Please link to a recent build log of the package https://launchpadlibrarian.net/650445725/buildlog_ubuntu-lunar-amd64.dbus-broker_33-1_BUILDING.txt.gz - `lintian --pedantic` as an extra post to this bug. + `lintian --pedantic` as an extra post to this bug. - Lintian overrides are present # dbus-broker only supports systemd dbus-broker: maintainer-script-calls-systemctl dbus-broker: package-supports-alternative-init-but-no-init.d-script [lib/systemd/system/dbus-broker.service] # need to override dh_installsystemd dbus-broker: maintainer-script-empty [prerm] dbus-broker: maintainer-script-ignores-errors [prerm] # matches dbus-daemon package, activated by socket dbus-broker: systemd-service-file-missing-install-key [lib/systemd/system/dbus-broker.service] Those have to do with the fact that package is set to work only with systemd, that's not an issue in Ubuntu since we don't support alternative init systems anyway Also the service shouldn't be stopped on package removal to avoid seeing the user session close https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980541 - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, https://salsa.debian.org/utopia- team/dbus-broker/-/blob/debian/sid/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Teams will be foundations and desktop - desktop-packages is already subscribed to the package, we will get foundations added - This does not use static builds - This does not use vendored code - This package is not rust based - The package successfully built during the most recent test rebuild [Background information] The Package description explains the package well Upstream Name is dbus-broker Link to upstream project https://github.com/bus1/dbus-broker The apparmor integration patch in review upstream on https://github.com/bus1/dbus-broker/pull/286 has got a +1 from our security team, we will include the change either by distro patching or through a newer upstream version since that's required for our confinement story, especially in snaps. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to dbus-broker in Ubuntu. https://bugs.launchpad.net/bugs/2015538 Title: [MIR] dbus-broker To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
