[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
Override component to main nfs-ganesha 3.0.3-0ubuntu2 in focal: universe/misc -> main nfs-ganesha 3.0.3-0ubuntu2 in focal amd64: universe/net/optional/100% -> main nfs-ganesha 3.0.3-0ubuntu2 in focal arm64: universe/net/optional/100% -> main nfs-ganesha 3.0.3-0ubuntu2 in focal armhf: universe/net/optional/100% -> main nfs-ganesha 3.0.3-0ubuntu2 in focal ppc64el: universe/net/optional/100% -> main nfs-ganesha 3.0.3-0ubuntu2 in focal s390x: universe/net/optional/100% -> main nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-doc 3.0.3-0ubuntu2 in focal amd64: universe/doc/optional/100% -> main nfs-ganesha-doc 3.0.3-0ubuntu2 in focal arm64: universe/doc/optional/100% -> main nfs-ganesha-doc 3.0.3-0ubuntu2 in focal armhf: universe/doc/optional/100% -> main nfs-ganesha-doc 3.0.3-0ubuntu2 in focal i386: universe/doc/optional/100% -> main nfs-ganesha-doc 3.0.3-0ubuntu2 in focal ppc64el: universe/doc/optional/100% -> main nfs-ganesha-doc 3.0.3-0ubuntu2 in focal s390x: universe/doc/optional/100% -> main nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-mem 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-mem 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-mem 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-mem 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-mem 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-nullfs 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-nullfs 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-nullfs 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-nullfs 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-nullfs 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-proxy 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-proxy 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-proxy 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-proxy 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-proxy 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-vfs 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-vfs 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-vfs 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-vfs 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-vfs 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main nfs-ganesha-xfs 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main nfs-ganesha-xfs 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main nfs-ganesha-xfs 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main nfs-ganesha-xfs 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main nfs-ganesha-xfs 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main python3-nfs-ganesha 3.0.3-0ubuntu2 in focal amd64: universe/python/optional/100% -> main python3-nfs-ganesha 3.0.3-0ubuntu2 in focal arm64:
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
This seems ready for promotion, MIR and security ack present. ** Changed in: nfs-ganesha (Ubuntu) Status: New => In Progress ** Changed in: nfs-ganesha (Ubuntu) Status: In Progress => Fix Committed ** Changed in: ntirpc (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
I reviewed ntirpc 3.0-0ubuntu2 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. ntirpc is a fork of the existing libtirpc library providing RPC services for nfs-ganesha and others. - CVE History: - Only 1 past CVEs against ntirpc - CVE-2017-8779 - was fixed reasonably quickly - This shares a lot of code with libtirpc which has had 5 CVEs (including CVE-2017-8779) so I checked these against ntirpc: - CVE-2013-1950 - ntirpc *might* be vulnerable to this - this needs more thorough code review - CVE-2018-14621 - ntirpc is not vulnerable - CVE-2018-14622 - ntirpc is not vulnerable - CVE-2016-4429 - ntirpc appears to also be vulnerable to this - I have marked this as such in our CVE tracker - I have updated our CVE tracker so that all CVEs triaged against libtirpc will also get triaged against ntirpc due to the amount of similar code between the two so that future CVEs don't get missed - No significant Build-Depends - cmake,libkrb5-dev, libjemalloc-dev, liburcu-dev - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - No binaries in PATH - No sudo fragments - No polkit files - No udev rules - No autopkgtests - Very simple tests run during build (tests/rpcping) - This exercises the high-level interfaces of the library - No cron jobs - Build logs are clean - No Processes spawned - Memory management appears to be careful and deliberate - Minimal file IO using hard-coded file paths to root-owned files - Logging is careful - The only environment variable used is NETPATH and this appears to be done carefully - No use of privileged functions - No use of cryptography / random number sources etc - No use of temp files - Network handling appears to be pretty good - Takes care to track buffer sizes and carefully decodes remote data - No use of WebKit - No Use of PolicyKit - Significant static analysis results - cppcheck identifies a possible NULL pointer dereference in the City hash code: - src/city.c:412:30: note: Calling function 'CityHash128WithSeed', 1st argument 'NULL' value is 0 - src/city.c:339:46: note: Calling function 'Fetch64', 1st argument 's' value is 0 - src/city.c:91:9: note: Calling function 'UNALIGNED_LOAD64', 1st argument 'p' value is 0 - src/city.c:43:18: note: Null pointer dereference - (ie due to the call to CityHash128WithSeed(NULL,...) this could result in an eventual call to memcpy with that NULL as the src argument) - coverity identifies a number of issues around handling of locks - some of these appear to be false positives but others could potentially be real issues - see attached for the full list of defects. In general, ntirpc appears to be well maintained and does not appear to have any obvious security issues. Other than the fact that this duplicates a lot of code from libtirpc, no object from the Security Team for promoting this to main - we have updated our CVE tracker so that any future CVEs against libtirpc will get automatically assigned to ntirpc as well so that we do not miss any other possible future CVEs for this. Security team ACK for promoting ntirpc to main - I suggest however that the list of Coverity defects be examined in more detail since some indicate the chance of dead-lock which would not be a good outcome for users of ntirpc. ** Changed in: nfs-ganesha (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1950 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4429 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8779 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14621 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14622 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
** Attachment added: "ntirpc coverity defect results" https://bugs.launchpad.net/ubuntu/+source/ntirpc/+bug/1843403/+attachment/5329131/+files/coverity.txt ** Changed in: ntirpc (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
I reviewed nfs-ganesha 3.0.3-0ubuntu1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. nfs-ganesha is an user-mode file server for NFS v3, 4.0, 4.1, 4.1 pNFS, and 4.2; and for 9P from the Plan9 operating system. It provides a FUSE-compatible File System Abstraction Layer(FSAL) to allow the file-system developers to plug in their own storage mechanism and access it from any NFS client. - No CVE History found. - It has Build-Depends for some libraries. Most relevant one is kerberos that provides integrity (krb5i) or integrity and encryption (krb5p). - There aren't pre/post inst/rm scripts. - It has three systemd units: - nfs-ganesha-config.service: For configuration - nfs-ganesha.service: The main service - nfs-ganesha-lock.service: File locking (the main service needs it) - It has a dbus service called org.ganesha.nfsd and the following interfaces: - org.freedesktop.DBus.Introspectable: returns an xml data string that describes all of the other interfaces and their methods for the particular object path. Every object path in NFS Ganesha's server provides this interface. - org.freedesktop.DBus.Properties: This interface is for setting and retrieving key/value pairs of properties. NFS Ganesha currently does not supply this interface yet. - org.ganesha.nfsd.admin: Used to administer the server itself. - org.ganesha.nfsd.CBSIM: Only for development. It's a callback simulator. - No setuid binaries found. - Relevant binaries: - usr/bin/ganesha.nfsd - usr/lib/x86_64-linux-gnu/libganesha_nfsd.so.3.0 - No sudo fragments found. - No udev rules found. - It has ad-hoc tests (src/test) and Google G-Test framework tests (src/gtest). - The tests seems basic. There are more realistic tests using network that can be done by using extra tools. - No cron job found. - Build logs: - There are some warnings during the build. Nothing relevant found. - Lintian failed because of "shlib-in-multi-arch-foreign-package" which means: "The package is marked as Multi-Arch: foreign, but it includes a shared library in a public library directory." - Memory management seems ok. - File IO is intensive depending on the usage. Nothing to worry was found by looking the code and coverity results. - Logging seems safe. - Use privileged functions not found. - There is a use of cryptography when used with kerberos. - Temporary file handling uses mkstemp but it seems safe. - Use of networking seems fine. Addresses and inputs are sanitized before the use. - No use of WebKit or PolicyKit found. - All errors found in cppcheck are "Uninitialized variable" ones. Nothing to worry. - Coverity found use-after-free, out-of-bound accesses and other issues. The issues were analysed and they were not considered showstoppers to get the project in main. Security team ACK for promoting nfs-ganesha to main. Still pending ntirpc analysis. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
On Mon, Dec 16, 2019 at 12:26 PM James Page wrote: > ntirpc 3.0-0ubuntu2 includes: > > Drop of LTTNG related symbols > Enable rpcping based tests during package build > Perfect, thank you for these and the bug subscriptions! Next: Waiting on security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
ntirpc 3.0-0ubuntu2 includes: Drop of LTTNG related symbols Enable rpcping based tests during package build -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
On Mon, Dec 16, 2019 at 10:01 AM Christian Ehrhardt < 1843...@bugs.launchpad.net> wrote: > @Openstack Team: > - it seems you need to maintain these on your own > - have you contributed the 3.x versions to Debian? > I'm in contact with the Debian maintainer and will be submitting patches back for the version upgrade. He's short on time right now so may take a while. > - nfs-ganesha is the only rev-dep so it might really be on you alone > Ack. > - if no one there steps up are you ok to self-maintain those as needed? > Yep > - you are not yet subscribed to the package this is a requirement before > promoting it > Done > - there seem to be very little self-tests but maybe those could be enabled > on build (rpcping / citytest)? > Agreed - will take a look > - Probably an artifact of the new version, but symbols need to be updated > - also shlibs fails should be made fatal IMHO > I left those in by mistake whilst trying to enable the LTTNG support in this package - will tidy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
Bug subscriptions added -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
[Summary] - After some longer checks it seems fine from a MIR/Packaging POV, but will need a security review as well. => MIR Team ack - Assigning security There are a few todos left open thou, nothing that would block the security review: @Openstack Team: - it seems you need to maintain these on your own - have you contributed the 3.x versions to Debian? - nfs-ganesha is the only rev-dep so it might really be on you alone - if no one there steps up are you ok to self-maintain those as needed? - you are not yet subscribed to the package this is a requirement before promoting it - there seem to be very little self-tests but maybe those could be enabled on build (rpcping / citytest)? - Probably an artifact of the new version, but symbols need to be updated - also shlibs fails should be made fatal IMHO [Duplication] With no other dependency than nfs-ganesha* it seems that this isn't a full lib widely used yet. It seemed more like a sibling or broken out of ganesha itself itself, but then I found it has a changelog back to 2004 so it seems separate. A bit of research later I realized this is in fact very old. Orig: libtirpc => https://sourceforge.net/projects/libtirpc/ Fork: libntirpc => https://github.com/linuxbox2/ntirpc Ganesha-special: libntirpc => https://github.com/nfs-ganesha/ntirpc The main committer of the latter two seems to be the same person. => https://github.com/dang So the middle one might be dead? The problem here is that the "classic" tirpc is in main since forever (at least precise, maybe even further). It doesn't have many releases beign at v2.5 for years now. But in terms of code-duplicity for things in main that is a problem. The old lib still has plenty of dependencies so we can't just switch one for the other. $ reverse-depends -r focal src:libtirpc Reverse-Depends === * autofs(for libtirpc3) * glusterfs-common (for libtirpc3) * glusterfs-server (for libtirpc3) * libassa-3.5-5-dev (for libtirpc-dev) * libgfapi0 (for libtirpc3) * libgfchangelog0 (for libtirpc3) * libgfrpc0 (for libtirpc3) * libgfxdr0 (for libtirpc3) * libnis1 (for libtirpc3) * nfs-common(for libtirpc3) * nfs-kernel-server (for libtirpc3) * quota (for libtirpc3) * rpcbind (for libtirpc3) * yp-tools (for libtirpc3) Usually on such cases security isn't keen on maintaining both nor is Ubuntu in general. I mean it even seems that nfs* packages use the classic tiprc lib. I haven't tracked all the history and difference that has accrued between those projects. But It seems that the differences might make maintaining both valid. Without having everyone consider moving all the other projects to the new lib or to find out why that isn't a good move either. Changes introduced in the ntirpc library include: * Bi-directional operation. * Full-duplex operation on the TCP (vc) transport. * Thread-safe operating modes: * new locking primitives and lock callouts (interface change). * stateless send/recv on the TCP transport (interface change). * Flexible server integration support. * Event channels. This was also discussed in [1] and already back then it was "libntirpc has diverged significantly from libtirpc; the changes are incompatible with upstream libtirpc." Therefore while it is sort of duplicating the functionality, we will need both libs in main to get nfs-ganesha which is the driver of this. [1]: https://pagure.io/packaging-committee/issue/363 [Embedded sources and static linking] - no embedded source present - no static linking [Security] Seems fine: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Security sensitive: - does parse data formats - does open a port (indirectly, but this libs code is used to plug RPC calls) - history of CVEs Yes NTIRPC only has had one. But I'd think that any finding on TIRPC potentially affects, but isn't tracked against NTIRPC, as well. This clearly needs a security review ... [Common blockers] - does not FTBFS currently - no translation present, but none needed for this case (user visible)? - no python considerations needed There are a few tests, but they are not enabled yet. You said in comment #6 that tests are functional or performance - but at least rpcping could maybe be enabled? It is already built in the buildlog. openstack isn't yet subscribed to the package [Packaging red flags] - Ubuntu delta to be ahead? - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
James already outlined in comment #6 why the tests won't work well at build time or even in autopkgtests. That is sad, but ok. If you think you can make a subset work please feel encouraged to do so. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
** Changed in: ntirpc (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
P.S. for nfs-ganesha: There is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862979 If that is enabled will that bring further problem/dependencies/benefits? This could be from "oh yes we should enable" to "holy crap we have to prevent this is enabled". Hence I'm asking you who want to bring it into main and have the use cases in mind. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
[Summary] MIR team ack from a packaging POV But there are a bunch of TODOs for the Openstack Team that could improve the package before being promoted while it is in the security review queue. @Security - this needs a review for sure, assigning you @Openstack - you are not yet subscribed to the packages, that has to be done before promotion - as you reported tests are not run at build or autopkgtest time - there is src/test and gtest maybe any of them can be made to work - could you spend a bit of time trying to enable those and only leave them disabled if it is really hard? - if above doesn't work since you do that for openstack, could you add it to the regular openstack tests that you do? That would be outside of the package but at least be some regular re-check. - could you please check if https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889654 is fixed on the new version? - since upstream looks rather bad [1] - have you experimentally verified that the usage for ceph not only works but also survives e.g. some stress testing? Everyone would hate to realize late that this is worse than one thought. E.g. these are ceph (but fortunately on too old versions): https://github.com/nfs-ganesha/nfs-ganesha/issues/433 https://github.com/nfs-ganesha/nfs-ganesha/issues/388 Maybe go through the bugs in this report and verify if any of them is a problem for the intended setup in that will be in main - Even if you only seed the ceph package the source will get into main And auto-includes will add -doc , -dbg and -dev packages This has a -doc and I'd recommend to add an extra-exclude for the -doc package to not pull that and dependencies then. You can add that right now already. [1]: https://github.com/nfs-ganesha/nfs- ganesha/issues?utf8=%E2%9C%93=is%3Aissue+is%3Aopen+crash [Duplication] Well, we have NFS kernel server but the intended use case here is to couple this with different backends - primarily ceph at the moment. I see no duplication in the archive that would do that. [Embedded sources and static linking] - no embedded source present - no static linking [Security] - no history of CVEs - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) But it has quite some security sensitive elements: - does not run a daemon as root - does not parse data formats - does not open a port - access to all data passed in between [Common blockers] - does not FTBFS currently - no translation present, but none needed for this case (not really user visible) - no python2 - It has deficiencies at self-tests on build/autopkgtest time. - atm lacks a bug subscriber [Packaging red flags] - Ubuntu does carry a delta, but that is to get issues fixed Thanks for v3.0 and the fixups Have you tried to bring that to Debian to reduce the maintenance effort long time? - symbols tracking not applicable for this code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is ok, but somewhat slow slow Thanks for jumping in and bringing it to 3.0 - the current release is packaged - no MOTU problem - no massive Lintian warnings - d/rules is rather clean except a long list of extra example files - not using Built-Using - no golang package for extra considerations about that [Upstream red flags] - no Errors during the build It has some gcc warnings and sadly doesn't use -Werror, but sort of ok I guess - no incautious use of malloc/sprintf (not that I've seen, but with that size I rely on the scan tools security uses - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - use of user nobody, but it is for NFS purpose which is exactly what it should be for - no use of setuid - not many important open bugs (crashers, etc) in Debian or Ubuntu - one might need to check this crash bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889654 - also upstream isn't s clean as one would want it, see [1] - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Bug watch added: Debian Bug tracker #889654 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889654 ** Bug watch added: github.com/nfs-ganesha/nfs-ganesha/issues #433 https://github.com/nfs-ganesha/nfs-ganesha/issues/433 ** Bug watch added: github.com/nfs-ganesha/nfs-ganesha/issues #388 https://github.com/nfs-ganesha/nfs-ganesha/issues/388 ** Changed in: nfs-ganesha (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) ** Bug watch added: Debian Bug tracker #862979 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862979 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.
[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc
** Changed in: nfs-ganesha (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843403 Title: [MIR] nfs-ganesha, ntirpc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs