Not volunteering to own this for now - set Won't Fix to be out of re-
triage
** Changed in: vde2 (Ubuntu)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Part of the requirements for main inclusion is a bug subscriber who will
maintain the package in Ubuntu outside of security updates. Will the
server team sign up for maintenance? Please resubscribe back to ubuntu-
security if so.
** Changed in: vde2 (Ubuntu)
Assignee: Ubuntu Security Team
** Changed in: vde2 (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage
It's very hard, and it should be.
I'm not on the security team, but I suspect they'd be more inspired to
"just take another look" if someone went through Seth's feedback in
comment #18 and for each item (plus each bug that he lists) say whether
you believe it is fixed. For instance he lists bug
Is it really this hard to get 885 lines of code promoted into main?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage notifications about this bug go to:
Any progress on this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage notifications about this bug go to:
Seth, do you want to comment? Looks like maybe we can avoid the worst
of your findings if we merely promote the library itself and leave the
other binaries in universe. That would at least unblock KVM from
supporting it.
I don't know if you happen to remember which of your comments applied to
@mterry, thank you for your kind reply. Because I read the code, I could
say that many of Seth's objections do not apply anymore. The
libvdeplug2's code base is also pretty small: 885 lines of code with
comments, empty lines and the relative header. I would be glad to take
care of any issues
@mg, yes that is an option. Having just libvdeplug would be enough to
enable kvm's integration for vde without having to promote the rest of
vde. But there's little evidence that the security issues Seth found
are not present in libvdeplug...
--
You received this bug notification because you
Would it impratical/impossibile to include only libvdeplug in main and
leave all the other vde's packages in universe?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To
Thanks for the review Seth. Marking Won't Fix for now. If someone
wants to take up the development work needed, then please assign to
yourself and mark as In Progress.
** Changed in: vde2 (Ubuntu)
Status: Incomplete = Won't Fix
** Changed in: vde2 (Ubuntu)
Assignee: MIR approval team
- No CVE history
- No init scripts, cron jobs, dbus services, fscaps, setuid, sudo
- Limited use of setuid(2), more extensive use of chown(2) indicates much
expects to run as root
- No binaries use PIE or BINDNOW
- No testsuite
- Daemons started with if-up-down.d scripts; some daemons can be
** Changed in: vde2 (Ubuntu)
Assignee: Jamie Strandboge (jdstrand) = Seth Arnold (seth-arnold)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage notifications
Bump - is this one feasible for raring? It would be one less bit of
delta from debian's qemu.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage notifications about
Hi Jamie,
this is desired by the server team :)
** Changed in: vde2 (Ubuntu)
Assignee: Ubuntu Server Team (ubuntu-server) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is a bug assignee.
Hi Jamie,
this is desired by the server team :)
** Changed in: vde2 (Ubuntu)
Assignee: Ubuntu Server Team (ubuntu-server) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@Jamie: In my opinion the answer is users want it, so server team wants
it. I realize that even if there were time, MIR team is overloaded at
the moment. So I'd like to talk to you about this again at UDS.
--
You received this bug notification because you are a member of Ubuntu
Server Team,
@Jamie: In my opinion the answer is users want it, so server team wants
it. I realize that even if there were time, MIR team is overloaded at
the moment. So I'd like to talk to you about this again at UDS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Dustin Kirkland (kirkland) - Server team member - wrote in the related
bug 253230:
Actually, I had to revert this change. libvdeplug2-dev (vde2) is in
Universe. We'll need to get an MIR filed/approved before we can have kvm
build-dep on it.
Now that we have the MIR maybe Dustin can approve
I'm in the kvm session (UDS P) right now, and it is unclear if the
server team actually wants this. If someone from the server team can
confirm that this is in fact desired by the team, I'd be happy to review
it. Reassigning to server team for now.
** Changed in: vde2 (Ubuntu)
Assignee:
Dustin Kirkland (kirkland) - Server team member - wrote in the related
bug 253230:
Actually, I had to revert this change. libvdeplug2-dev (vde2) is in
Universe. We'll need to get an MIR filed/approved before we can have kvm
build-dep on it.
Now that we have the MIR maybe Dustin can approve
I think the best way forward for this is to file a bug against kvm in
Ubuntu and suggest adding vde2 as a dependency/recommends. If this
happens and vde2 is well-integrated into kvm, you should re-open this
bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
@Michael Terry I reported this against vde2 over a year ago. Then I was
told I needed to file a MIR.
The bug report you are suggesting already exists: bug 253230. Here's a
line from that report, It's been open for years and lead to nothing.
1) There is clearly demand for vde2 support in KVM.
Joseph, ah! Thanks for the bug link. That provides some of the missing
rationale and history behind this MIR.
I understand your frustration, but part of the reason for this
particular delay is that the people reviewing MIRs are busy and not
domain experts in everything. Because the original
@Michael Terry I guess I should have linked to the original bug in the
first place. I don't mean to be a pain but some times you have to whine
a little to get things rolling.
Hopefully security won't be an issue. The Debian guys are pretty good
about this stuff and it passed there approval.
@mterry,
I assume that there is nothing for now for the server team to do then,
right? (AIUI we can't put the vde lib in build-depends for kvm without
those libs being in main).
Just making sure - thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Joseph and Serge, not much to do yet, unless you're on the security
team. After 11.10 is out and there's a development lull, occasionally
poking security people on IRC (judiciously!) might speed things up.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Is there any news regarding this issue? What do we need to know/whom to
ask in order to make it fixed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage
I'm still waiting for this as well. No one seems to want to do it.
Should be easy since it's already been a Debian package for several
years. Just needs to be included in main and added as a build dep of
kvm. No other configuration required as far as I know.
Regarding kees concern about
[Expired for vde2 (Ubuntu) because there has been no activity for 60
days.]
** Changed in: vde2 (Ubuntu)
Status: Incomplete = Expired
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Without sign-in from the Ubuntu KVM maintainers, I'd rather not commit
to having this in main. It is a rather large bit of code, includes
daemons, etc. I think making sure this is integrated sanely is the first
step. Main promotion can happen later.
** Changed in: vde2 (Ubuntu)
Assignee:
** Changed in: vde2 (Ubuntu)
Assignee: (unassigned) = Kees Cook (kees)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To manage notifications about this bug go to:
Is native VDE support part of a blueprint or just a nice-to-have? I'm
trying to get a sense of rationale/importance.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776818
Title:
[MIR] vde2
To
vde2 makes it possible to create a virtual network for your VMs. This
is an important tool for cloud computing. If Ubuntu wants to compete as
a cloud computing solution this is a critical piece to the puzzle.
It shouldn't be much work to move vde2 into main. The package is well
supported and
34 matches
Mail list logo