full review as Seth mentioned
** Attachment added: "BUG.md" https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+attachment/5904979/+files/BUG.md -- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to dracut in Ubuntu. https://bugs.launchpad.net/bugs/2031304 Title: [MIR] dracut Status in dracut package in Ubuntu: In Progress Bug description: [Availability] The package dracut is already in Ubuntu universe. The package dracut build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/dracut [Rationale] The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185). The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules. To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution. dracut-core is already used by Ubuntu Core: https://github.com/snapcore/core-initrd/ The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185. [Security] - Had 5 security issues in the past - https://ubuntu.com/security/CVE-2016-8637 can disclose local information - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut) - https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific) - https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions - https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped) - no `suid` or `sgid` binaries - Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants): - /lib/systemd/system/dracut-cmdline.service - /lib/systemd/system/dracut-initqueue.service - /lib/systemd/system/dracut-mount.service - /lib/systemd/system/dracut-pre-mount.service - /lib/systemd/system/dracut-pre-pivot.service - /lib/systemd/system/dracut-pre-trigger.service - /lib/systemd/system/dracut-pre-udev.service - /lib/systemd/system/dracut-shutdown-onfailure.service - /lib/systemd/system/dracut-shutdown.service - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut - Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725) - The package runs an autopkgtest, and is currently passing on amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz - I am working on fixing the new autopkgtests on the other architectures (see bug #2031417). [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote [Standards compliance] - This package violates FHS or Debian Policy: - Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do [Maintenance/Owner] - Owning Team will be Foundations team - Foundations Team is not yet, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This does not use vendored code - This package is not rust based (but that might change in the future) - The package has been built in the archive more recently than the last test rebuild [Background information] The Package description explains the package well Upstream Name is dracut Link to upstream project: https://github.com/dracutdevs/dracut/wiki/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
