[Bug 2060035] Re: [MIR] msgraph
Final state check: - FFE was approved as well. - MIR approved - Per [2] it seems was consciously (freeze) accepted 15h ago. - All dependencies are already in main (could have changed) - Seen in component mismatches due to [2] - The needed exclude needed is in place [1] Only one version in noble msgraph | 0.2.1-0ubuntu3 | noble/universe | source Override component to main msgraph 0.2.1-0ubuntu3 in noble: universe/libs -> main Override [y|N]? y 1 publication overridden. Override component to main gir1.2-msg-0 0.2.1-0ubuntu3 in noble amd64: universe/introspection/optional/100% -> main gir1.2-msg-0 0.2.1-0ubuntu3 in noble arm64: universe/introspection/optional/100% -> main gir1.2-msg-0 0.2.1-0ubuntu3 in noble armhf: universe/introspection/optional/100% -> main gir1.2-msg-0 0.2.1-0ubuntu3 in noble i386: universe/introspection/optional/100% -> main gir1.2-msg-0 0.2.1-0ubuntu3 in noble ppc64el: universe/introspection/optional/100% -> main gir1.2-msg-0 0.2.1-0ubuntu3 in noble riscv64: universe/introspection/optional/100% -> main gir1.2-msg-0 0.2.1-0ubuntu3 in noble s390x: universe/introspection/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble amd64: universe/libs/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble arm64: universe/libs/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble armhf: universe/libs/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble i386: universe/libs/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble ppc64el: universe/libs/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble riscv64: universe/libs/optional/100% -> main libmsgraph-0-1 0.2.1-0ubuntu3 in noble s390x: universe/libs/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble amd64: universe/doc/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble arm64: universe/doc/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble armhf: universe/doc/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble i386: universe/doc/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble ppc64el: universe/doc/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble riscv64: universe/doc/optional/100% -> main libmsgraph-doc 0.2.1-0ubuntu3 in noble s390x: universe/doc/optional/100% -> main Override [y|N]? y 21 publications overridden. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/ubuntu/commit/?id=d5078daf38e46b458c2d308ae86f6b9630c50102 [2]: https://launchpad.net/ubuntu/+source/gvfs/1.54.0-1ubuntu1 ** Changed in: msgraph (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
MIR is ready. ** Changed in: msgraph (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
desktop-packages is subscribed now and FFe to enable feature submitted as https://launchpad.net/bugs/2061857 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
Needs the changes to be pulled in and a subscriber - other than that it seems ready ** Changed in: msgraph (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
I reviewed msgraph 0.2.1-0ubuntu3 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
msgraph is a library written in C using the glib, libgoa, and libsoup
for providing access to the Microsoft Graph API services.
- CVE History
- None
- Build-Depends
- libgoa, glib, libsoup
- claims to use librest via meson.build but I couldn't find any evidence of
that so sent a MR to remove this - as such should hopefully be able to be
removed from Build-Depends in a future update
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- Non
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- unit tests are run at build time via dh_auto_test
- autopkgtest simply runs unit tests as well
- tests use uhttpmock to mock the service server
- average test coverage is 72% as reported by gcovr
- cron jobs
- None
- Build logs
- Contains the following warnings:
- dh_girepository: warning: Missing Build-Depends: gir1.2-gobject-2.0-dev
(ideally with )
- dh_girepository: warning: Missing Build-Depends: gir1.2-gio-2.0-dev
(ideally with )
- dh_girepository: warning: libgoa-1.0-dev should have Provides:
gir1.2-goa-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-json-1.0-dev
(ideally with )
- dh_girepository: warning: librest-dev should have Provides:
gir1.2-rest-1.0-dev (= ${binary:Version})
- dh_girepository: warning: Missing Build-Depends: gir1.2-soup-3.0-dev
(ideally with )
- Lintian reports the following issues:
- libmsgraph-0-1_0.2.1-0ubuntu3_amd64.deb:
E: libmsgraph-0-1: custom-library-search-path RUNPATH
/usr/lib/x86_64-linux-gnu/libmsgraph
[usr/lib/x86_64-linux-gnu/libmsgraph-0.so.0.2.1]
- libmsgraph-doc_0.2.1-0ubuntu3_all.deb:
W: libmsgraph-doc: stray-devhelp-documentation
[usr/share/doc/msgraph-0/msgraph-0.devhelp2]
- Processes spawned
- No subprocesses spawned
- Memory management
- Uses standard glib APIs like g_new / g_free appropriately - no obvious
memory leaks or similar
- File IO
- None
- Logging
- Only a very small amount of direct logging using `g_debug()` to trace use
of various functions and when the https port number is changed via environment
variable `SG_HTTPS_PORT`
- Uses glib GError etc to return error information etc
- Sets up libsoup to debug via `g_debug()`
- No apparent use of unsafe format-string directives
- Environment variable usage
- SG_HTTPS_PORT to override https port during testing
- MSG_DEBUG - used to set the debug level in libsoup
- MSG_LAX_SSL_CERTIFICATES - used to relax SSL validation of certificates for
testing to allow to use an expired test cert in this case - this is done by
connecting to the accept-certificate signal of libsoup's SoupMessage which is
emitted during the TLS handshake after an unacceptable TLS certificate has been
received, and hence to override this despite it having various errors
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Uses libsoup to do certificate validation etc
- Use of temp files
- None
- Use of networking
- Uses libsoup to handle underlying network communications - libsoup
internally uses GIO's GTlsConnection etc to handle TLS certificate validation
etc - this does certification validation etc by default
- Use of WebKit
- None
- Use of PolicyKit
- None
- No significant cppcheck results
- No significant Coverity results
- Upstream already does their own Coverity scans:
-
https://gitlab.gnome.org/GNOME/msgraph/-/blob/main/.gitlab-ci.yml?ref_type=heads#L54
- No significant shellcheck results
- No significant Semgrep results
The upstream project looks quite young (first commit was 23 July 2022 in
a private repo, the public project only has commits since 14 Feb 2024)
but the project appears to be quite high quality. Tests account for
~1/5th of the total code and provide 72% code coverage across 90% of all
functions are run during the build and via autopkgtests. They also have
plans to add additional unit tests for the async function variants in
https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/21. Finally,
they also do static analysis via Coverity as well as clang's scan-build
to proactively detect any security issues.
I sent a MR to remove the unused librest dependency as well in
https://gitlab.gnome.org/GNOME/msgraph/-/merge_requests/22
Security team ACK for promoting msgraph to main.
** Changed in: msgraph (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060035
Title:
[MIR] msgraph
To manage notifications about this bug go to:
[Bug 2060035] Re: [MIR] msgraph
Replying to my previous comment after a chat with Lukas, the reason libgoa was raised as an issue is that the MIR template includes that mention in the 'upstream redflags' >TODO: - no dependency on webkit, qtwebkit, seed or libgoa-* I'm assuming that it was because of the libgoa depends on webkitgtk, which was removed in Noble. I've filed https://github.com/canonical/ubuntu-mir/issues/54 about getting libgoa removed from that section. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
** Tags added: sec-4054 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
@Lukas, I don't understand your comment about libgoa-1.0-0b, that's a
standard desktop library which is in main forever and get added to
Depends through shlibs, what's the issue with it?
$ ldd -r /usr/lib/x86_64-linux-gnu/libmsgraph-0.so.1 | grep goa
libgoa-1.0.so.0 => /lib/x86_64-linux-gnu/libgoa-1.0.so.0
(0x765dd7566000)
$ grep goa msgraph-0.2.1 -r
...
msgraph-0.2.1/src/msg-goa-authorizer.h:#include
...
msgraph-0.2.1/meson.build:goa_dep = dependency('goa-1.0')
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060035
Title:
[MIR] msgraph
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
and about #5, the package has been uploaded to Debian NEW a month ago and is waiting for review in the queue -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
Aparrently we don't want to have a runtime dependency on libgoa-* (build-dep is fine). cpaelzer> slyon: for libgoa - it can be a build dependency, just not a runtime dependency (and not part of the final code, no static linking tricks) cpaelzer> slyon: but if it is used at build to get stuff done (like test tools, binary mangling helpers, ...) then it does not need to be in main So could you please elaborate why the libmsgraph-0-1 -> libgoa-1.0-0b runtime dependency is needed and if it could be avoided? It doesn't make a lot of sense to me, as libgoa-1.0-0b (src:gnome- online-accounts) is in "main" already and seems to be a crucial part here. But we didn't have time to discuss it in depth during today's meeting. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
** Changed in: msgraph (Ubuntu) Status: Incomplete => Confirmed ** Changed in: msgraph (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
Review for Source Package: msgraph [Summary] src:msgraph is a fairly new/young package, that provides gnome-online-accounts integration to Microsoft services (e.g. OneDrive), using the MS Graph API. It's currently pure Ubuntu delta, as it has not been uploaded to Debian yet. Upstream's initial commit was in Februrary 2024. Overall, the package seems to be relatively well structured, but didn't have a long history to proof proper maintenance. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: libmsgraph-0-1 Specific binary packages built, but NOT to be promoted to main: libmsgraph-dev Notes: #0 - Official Microsoft Graph SDK alternatives are listed here, but are not packaged in Ubuntu: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview#supported-languages #1 - This is a pretty young package, the Desktop team takes responsibility for maintaining it during the LTS cycle, should upstream vanish. #2 - Asking security review for REST/Json parsing, certificates and centralized online accounts Required TODOs: #3 - The package should get a team bug subscriber before being promoted #4 - should not (build-)depend on libgoa-* => not sure what to do about that, as it's an essential part of this package. I need to consult fellow MIR team members. Recommended TODOs: #5 - Consider pushing it into Debian, too. #6 - Consider fixing "dh_girepository" and "dpkg-gencontrol" build-time warnings, to improve packaging (see "[Upstream red flags]" below) [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality. A team is committed to own long term maintenance of this package. (~desktop-packages) The rationale given in the report seems valid and useful for Ubuntu (Microsoft OneDrive support in GNOME) [Dependencies] OK: - no other Dependencies to MIR due to this - SRCPKG checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - No dependencies in main that are only superficially tested requiring more tests now. Problems: - dev/-debug/-doc packages that need exclusion: libmsgraph-dev depends on librest-dev in universe [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content (Not considering MS Graph API as "arbitrary") - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: - history of CVEs does not look concerning (but it's fairly young, initial release 2024-02-13) - does parse data formats (REST/json structures) from an untrusted source. - does use centralized online accounts (allow gnome-online-accounts connecting to Microsoft services) - does deal with cryptography (certificates) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - This does not need special HW for build or test - no new python2 dependency Problems: None [Packaging red flags] OK: - symbols tracking is in place. - debian/watch is present and looks ok (if needed, e.g. non-native) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: - Ubuntu does carry a delta (full package, not packaged in Debian) - Upstream update history is sporadic (very few releases to date, 0.1.0, 0.2.0 & 0.2.1) - Debian/Ubuntu update history is sporadic [Upstream red flags] OK: - no Errors during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on
[Bug 2060035] Re: [MIR] msgraph
** Description changed: [Availability] The package msgraph is already in Ubuntu universe. The package msgraph build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 arm64 armhf ppc64el riscv64 s390x Link to package https://launchpad.net/ubuntu/+source/msgraph [Rationale] - The package msgraph is required in Ubuntu main to be able to enable Microsoft OneDrive support in GNOME - The package msgraph will generally be useful for a large part of our user base - There is no other/better way to solve this that is already in main or - should go universe->main instead of this. + should go universe->main instead of this. - The binary package libmsgraph-0-1 needs to be in main to turn on the onedrive support in gnome-online-accounts - We would like to enable the onedrive support in 24.04.1 if possible but it's not an hard commitment. [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation - patterns are in place utilizing the following features: - TBD (add details and links/examples about things like dropping - permissions, using temporary environments, restricted users/groups, - seccomp, systemd isolation features, apparmor, ...) + patterns are in place utilizing the following features: + TBD (add details and links/examples about things like dropping + permissions, using temporary environments, restricted users/groups, + seccomp, systemd isolation features, apparmor, ...) - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails - it makes the build fail, link to build log https://launchpadlibrarian.net/720553048/buildlog_ubuntu-noble-amd64.msgraph_0.2.1-0ubuntu1_BUILDING.txt.gz + it makes the build fail, link to build log https://launchpadlibrarian.net/720553048/buildlog_ubuntu-noble-amd64.msgraph_0.2.1-0ubuntu1_BUILDING.txt.gz < to be updated once the infra catches up with the recent upload > - - The package runs an autopkgtest, and is currently passing on - this TBD list of architectures, link to test logs https://autopkgtest.ubuntu.com/packages/m/msgraph + - The package runs an autopkgtest, and is currently passing on arm64 ppc64el s390x + https://autopkgtest.ubuntu.com/packages/m/msgraph + i386 is failing due installability issues of other components and isn't a target architecture - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer - This package has minor lintian warnings # lintian --pedantic msgraph_0.2.1-0ubuntu1_amd64.changes E: libmsgraph-0-1: custom-library-search-path RUNPATH /usr/lib/x86_64-linux-gnu/libmsgraph [usr/lib/x86_64-linux-gnu/libmsgraph-0.so.0.2.1] W: libmsgraph-doc: stray-devhelp-documentation [usr/share/doc/msgraph-0/msgraph-0.devhelp2] The first one is because the upstream project uses an inconsistant naming (libmsgraph vs msgraph), we will add an override - The devhelp one will be fixed in the next upload + The devhelp one is wrong and it's not an issue in newer versions - Please link to a recent build log of the package https://launchpadlibrarian.net/720553048/buildlog_ubuntu-noble- amd64.msgraph_0.2.1-0ubuntu1_BUILDING.txt.gz - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/gnome- team/msgraph/-/blob/debian/latest/debian/rules [UI standards] - Library is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The future owning team (desktop-packages) is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built in the archive more recently than the last - test rebuild + test rebuild [Background information] The
[Bug 2060035] Re: [MIR] msgraph
** Changed in: msgraph (Ubuntu) Assignee: (unassigned) => Lukas Märdian (slyon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
