[Bug 1877696] Re: [MIR] openscap
The MIR text in comment #0 has been updated. ** Description changed: - Hello, the Ubuntu Security Team would like the libopenscap8 binary - package from openscap promoted to main. libopenscap8 is incorporated - into the CVEscan snap: https://github.com/canonical/sec- - cvescan/blob/master/snapcraft.yaml + Hello, the Ubuntu Security Team would like to propose the libopenscap8 binary + package from openscap be promoted to main. - One wrinkle is that we'd like libopenscap8 from an existing release - moved into main, so that it can be used by the snapcraft build process. - I don't know the snap ecosystem well enough to know if CVEscan can be - ported to the core20 world or if it must remain in core18 world. So we - may like openscap from 18.04 LTS or openscap from 20.04 LTS - retroactively promoted to main. + libopenscap8 is useful in main for two reasons: + + - The Security team publishes OVAL CVE data, which libopenscap8 is the only +package in Ubuntu capable of evaluating this content. This allows users to +check whether their system has all available security updates. + - The Certifications team publishes XCCDF+OVAL content for evaluating various +benchmarks (such as CIS and STIG), which again libopenscap8 is the only such +package satisfying this usecase in Ubuntu. + + We'd like to first rebase to OpenSCAP 1.3.x, as this release will see upstream + support longer into the future than the existing OpenSCAP 1.2.x release will. + As OpenSCAP is a Red Hat upstream community, and OpenSCAP 1.2.x is shipped in + RHEL 7 which is nearing EoL, they have stopped doing feature development work + on OpenSCAP 1.2.x and focused on OpenSCAP 1.3.x. No later version exists at + this time. This release is currently present in Debian Testing. [Availability] openscap is in universe. [Rationale] - The Ubuntu Security Team would like the libopenscap8 binary package from openscap promoted to main. libopenscap8 is incorporated into the CVEscan snap: https://github.com/canonical/sec-cvescan/blob/master/snapcraft.yaml + The Ubuntu Security & Compliance Team would like the libopenscap8 binary package + from openscap promoted to main. libopenscap8 is referenced in our product + documentation and several supported scenarios. Since some customers may not have + ESM Apps (and thus LTS universe package support), shipping openscap in universe + limits some customers from consuming Canonical-sponsored content, though they + may pay for other content and reasonable expect the entire use-case be + supported. [Security] - As the intention is to use libopenscap8 in security software, it may make sense to require a security review. However, the package has no executables, no setuid or setgid files, does not daemonize or otherwise itself run a persistent service, and does not open listening ports. + As the intention is to use libopenscap8 in security software, it makes sense to + require a security review. However, the package is intended to be executed by a + local adminstrator (on content they trust) after using existing permission + escallation procedures. libopenscap8 does not ship a daemon (or otherwise + persist between runs), does not open any open ports, and does not add any other + permission escallation paths (such as suid, sgid, ). - [Quality assurance] - - No configuration is necessary to use the library, though applications that use this library will need to be configured. + [Quality Assurance] + - No configuration is necessary to use the library, though applications that + use the library will provide content meant to be consumed via this library. - grep -ri debconf returns no results. - - The Debian package appears to be in an unfortunate state: - - Still provides a python2 package, no python3 package: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=937211 - - A segfault with upstream fix has been ignored: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932120 - - The upstream fix for the segfault was intermingled with an unrelated new feature: - - https://github.com/OpenSCAP/openscap/pull/1387/commits - - Upstream bug tracker has many open issues, some security relevant issues open for years. - - The Ubuntu bug tracker has very few open issues; the most important one is the segfault that has been ignored in Debian. The SRU appears stalled: - - https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682 + - Upstream bug tracker has many open issues, some security relevant issues open + for years. + - The Ubuntu bug tracker has very few open issues; the most important one is + a segfault that has been ignored in Debian. The SRU appears stalled: + - https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682 + However, this is addressed in the proposed OpenSCAP 1.3.x rebase. - tests are not run (see debian/rules) - debian/watch exists - lintian messages: - E: openscap source: source-is-missing
[Bug 1877696] Re: [MIR] openscap
Evgeny, thanks for the comment. Ideally the Debian maintainer would bring in the new version, but we can leapfrog them if necessary. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
Just FYI, the newer 1.3 branch has a lot of fixes related to Debian- based distributions, including the test suite, dpkg probe and others. Moreover, this branch is now gated in upstream CI against the latest Ubuntu. We (OpenSCAP team) tried to contact Debian's maintainer regarding the package upgrade, but there was no response so far. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
[Summary] MIR Team ack to promote liboepnscap8 and the source (will auto-promote libopensacp-dev). There are a few suggestions to improve the package (see below), if (ever) more of the package shall be promoted those are s/optional/required/ then. This does need a security review, so I'll assign ubuntu-security TODO: - Please work on converting python-openscap to python3 (not gating the promotion). - given the low quality (many open issues) this might cause quite some work, so be suer that you want to own this in Ubuntu - please consider adding symbols tracking - how about bumping at least groovy to the latest much newer version 1.3.3? - new -dbg style? - adopt debhelper >9 There are no massive differences between the releases. So the request to promote in older releases should be ok if the release and SRU team agrees. I'm sure the archive admins will know if that is allowed. Bionic: 1.2.15-1ubuntu0.1 Focal: 1.2.16-2ubuntu3 -dev: 1.2.16-2ubuntu5 [Duplication] There is no other package in main providing the same functionality for SCAP definitions. [Dependencies] OK: - no -dev/-debug/-doc packages that need exclusion The one that is packages has no odd dependencies, so no exclusion needed Problems: - other Dependencies to MIR due to this - most dependencies are in main already, except one concerning bit python-openscap is pure python2 => That means: - you can't promote that binary in >=Focal, do you need it? You wrote that you need "libopenscap8" so that might be ok for you - Never the less to be safer you should consider working on getting it a python3-openscap and drop python-openscap [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root There is src:openscap-daemon, but no one depends on it - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content TBH that depends on the user of the lib - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats A quick security review on the data parsing bits of the lib would be good, just so it isn't obviously running into classic parsing/buffer issues and such. Given that it is from a security background one would hope it is fine, but a quick check can't hurt. [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber (ubuntu-security) - no translation present, but none needed for this case (user visible)? - Python package that is using dh_python - Not a Go package that uses dh-golang Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest - new python2 dependency This matches your report of an overall low-medium quality. You will have to own it once promoted and have to be clear to work on all these issues when affecting Ubuntu users. [Packaging red flags] OK: - d/watch is present and looks ok - Upstream update history is ok, but slow - Debian/Ubuntu update history is ok - promoting this does not seem to cause issues for MOTUs that so far (per CL history) maintained the package - no massive Lintian warnings - d/rules is sort of ok (many overrides) - not using Built-Using - Does not have Built-Using Problems: - Ubuntu does carry a delta Gladly it isn't too complex. I'd recommend getting that to Debian, nothing seems Ubuntu specific. But OTOH you already said Debian isn't very active - symbols tracking is in place Would you mind adding that for some quality (at least going forward)? - the current release is packaged - 1.2.16 vs 1.3.3 Any reason not to change, could that be tried? - old style -dbg package - dh9 is deprecated [Upstream red flags] OK: - no Errors/warnings during the build A long list of silly lack of "defined" thrown as warnings - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - except the known case that you are aware - upstream has some bad reports - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Changed in: openscap (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
** Changed in: openscap (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
** Changed in: openscap (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
the oscap from libopenscap8 in groovy proposed runs our a sample of our OVAL files without any problems -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
so apparently this package was ftbfs, now fixed by rbalint. Please could you confirm that the package is in the working state? ** Changed in: openscap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
** Description changed: Hello, the Ubuntu Security Team would like the libopenscap8 binary package from openscap promoted to main. libopenscap8 is incorporated into the CVEscan snap: https://github.com/canonical/sec- cvescan/blob/master/snapcraft.yaml One wrinkle is that we'd like libopenscap8 from an existing release moved into main, so that it can be used by the snapcraft build process. I don't know the snap ecosystem well enough to know if CVEscan can be ported to the core20 world or if it must remain in core18 world. So we may like openscap from 18.04 LTS or openscap from 20.04 LTS retroactively promoted to main. [Availability] openscap is in universe. [Rationale] The Ubuntu Security Team would like the libopenscap8 binary package from openscap promoted to main. libopenscap8 is incorporated into the CVEscan snap: https://github.com/canonical/sec-cvescan/blob/master/snapcraft.yaml [Security] As the intention is to use libopenscap8 in security software, it may make sense to require a security review. However, the package has no executables, no setuid or setgid files, does not daemonize or otherwise itself run a persistent service, and does not open listening ports. [Quality assurance] - No configuration is necessary to use the library, though applications that use this library will need to be configured. - grep -ri debconf returns no results. - The Debian package appears to be in an unfortunate state: - - Still provides a python2 package, no python3 package: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=937211 - - A segfault with upstream fix has been ignored: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932120 + - Still provides a python2 package, no python3 package: + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=937211 + - A segfault with upstream fix has been ignored: + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932120 - The upstream fix for the segfault was intermingled with an unrelated new feature: - - https://github.com/OpenSCAP/openscap/pull/1387/commits + - https://github.com/OpenSCAP/openscap/pull/1387/commits - Upstream bug tracker has many open issues, some security relevant issues open for years. - The Ubuntu bug tracker has very few open issues; the most important one is the segfault that has been ignored in Debian. The SRU appears stalled: - - https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682 + - https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682 - tests are not run (see debian/rules) - debian/watch exists - lintian messages: - E: openscap source: source-is-missing xsl/xccdf-resources/bootstrap.min.js - E: openscap source: source-is-missing xsl/xccdf-resources/openscap.js line length is 263 characters (>256) - W: openscap source: python-foo-but-no-python3-foo python-openscap - + E: openscap source: source-is-missing xsl/xccdf-resources/bootstrap.min.js + E: openscap source: source-is-missing xsl/xccdf-resources/openscap.js line length is 263 characters (>256) + W: openscap source: python-foo-but-no-python3-foo python-openscap [Dependencies] All dependencies of the libopenscap8 library are in main. The source package is less happy: Build-Depends: - dh-python - python-defaults - swig [Standards compliance] - I didn't spot FHS problems in the libopenscap8 binary package. - Unknown Debian policy compliance. - Quilt package [Maintenance] - Security team will subscribe to bugs. + Security team is subscribed to bugs. [Background information] SCAP is an assertions language that is popular in the security communities for standardizing data streams. It can be used both for encoding information about vulnerable packages (as our OVAL data currently describes) as well as providing rules to measure compliance with published security standards. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877696] Re: [MIR] openscap
FYI, snapcraft can build from universe just fine. I suspect what you are seeking is official support so openscap can get security support, therefore USNs, therefore cvescan can get snap USN notifications. In terms of an existing stable release, IIRC it is not possible to adjust the override for something in the release pocket, but that is ok: if this is approved then with the first upload to -security we can adjust the override for that source and binary (we could do the same for an SRU to -updates). In terms of the snap USN service, it doesn't care where the package resides; it just cares that there is a USN. As for which release, cvescan could certainly be ported to 'base: core20', but as of today, core20 is not released yet (there are snaps, but UC20 (and therefore the core20 snap) hasn't been declared officially released yet, so it probably makes sense to hold off on porting. That said, since it doesn't seem like there are any open CVEs yet so I suggest proceeding with this MIR with groovy and focal in mind and porting later. If you still need core18, I then suggest also going back to bionic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
