[Bug 1973033] Re: [MIR] wpebackend-fdo
** Tags added: sec-1034 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973033 Title: [MIR] wpebackend-fdo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug/1973033/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1973033] Re: [MIR] wpebackend-fdo
MIR team ACK under the constraint to have some answer on the weak testing story, aligning it with the wpe library seems to be the best course of action I think This does need a security review, so I'll assign ubuntu-security. Notes: Recommended TODOs: To paraphrase Christian: - You already know the testing is weak, the higher level test in webkit2gtk seems fine for autopkgtest, but is there something we could do at the lower level in the backend itself for build time checks? [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - checked with check-mir - not listed in seeded-in-ubuntu - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have odd Built-Using entries OK: - not a go package, no extra constraints to consider in that regard [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use lib*v8 directly - does not open a port/socket - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: Dependent of webkit, parse web content. Requesting thus a security review. [Common blockers] OK: - does not FTBFS currently - no new python2 dependency Problems: - Testing story is weak both during build and autopktests tests, look at the summary and recommended TODOs. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - not part of the UI for extra checks - no translation present, but none needed for this case Problems: Parts of webkit-gtk, see above for security review ** Changed in: wpebackend-fdo (Ubuntu) Assignee: Didier Roche (didrocks) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973033 Title: [MIR] wpebackend-fdo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug/1973033/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1973033] Re: [MIR] wpebackend-fdo
** Changed in: wpebackend-fdo (Ubuntu) Assignee: (unassigned) => Didier Roche (didrocks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973033 Title: [MIR] wpebackend-fdo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug/1973033/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1973033] Re: [MIR] wpebackend-fdo
** Description changed: [Availability] The package wpebackend-fdo is already in Ubuntu universe. The package wpebackend-fdo build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x Link to package https://launchpad.net/ubuntu/+source/wpebackend-fdo [Rationale] - - The package wpebackend-fdo is required in Ubuntu main as a dependency of webkit2gtk. The dependency is optional but the default upstream and in other distributions and the only one upstream is really testing (turned out some of the issues we had previous cycle are because we aren't using the default backend, which also made a lower priority for upstream to work on fixes). Upstream is also planning to deprecate the nonwpe codepath. + - The package wpebackend-fdo is required in Ubuntu main as a dependency of webkit2gtk. The dependency is optional but the default upstream and in other distributions and the only one upstream is really testing (turned out some of the issues we had previous cycle are because we aren't using the default backend, which also made a lower priority for upstream to work on fixes). Upstream is also planning to deprecate the nonwpe codepath. We might also need to build with that backend on older series at some point due to the previous statement. - The package wpebackend-fdo is required in Ubuntu main no later than aug 25 due to feature freeze [Security] - No CVEs/security issues in this software in the past - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Ubuntu and Debian and has currently no reports - - Ubuntu https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug - - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=wpebackend-fdo + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=wpebackend-fdo - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time because upstream doesn't have one. That's something we need to work on. BLOCKER ^ - - The package does not run an autopkgtest because upstream has no test and Debian didn't have some either. That's something we need to work on. - BLOCKER ^ + - The package does not run an autopkgtest because upstream has no test and Debian didn't have some either. If webkit2gtk is built with it as it default backend then the webkitgtk autopkgtests are going to exercise wpe, is that enough? + BLOCKER? ^ We need to work on the testing story, backup plan is to write some manual test plans. [Quality assurance - packaging] - debian/watch is present and works -- There is only one lintian warning - # lintian --pedantic + # lintian --pedantic P: wpebackend-fdo source: package-uses-old-debhelper-compat-version 12 12 isn't that old but we will work on updating to 13 - There is one lintian overrides for having the .so distributed in the library rather than the dev because browsers try to load the .so and it should be available. The change was added in Debian to https://salsa.debian.org/webkit-team/wpebackend-fdo/-/commit/07a67e57 - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to d/rules https://salsa.debian.org/webkit-team/wpebackend- fdo/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - There are further dependencies that are not yet in main, MIR for them - is at https://bugs.launchpad.net/ubuntu/+source/libwpe/+bug/1973031 + is at https://bugs.launchpad.net/ubuntu/+source/libwpe/+bug/1973031 [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be desktop-packages - Team is not yet, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - The package successfully built during the most recent test rebuild [Background information] The Package description explains the package well Upstream Name is wpebackend-fdo Link to upstream project https://github.com/Igalia/WPEBackend-fdo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.
[Bug 1973033] Re: [MIR] wpebackend-fdo
The testing story needs work but we are putting in the queue already since that should block review, especially if that needs input from the security team as a future dependency of webkitgtk ** Changed in: wpebackend-fdo (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973033 Title: [MIR] wpebackend-fdo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpebackend-fdo/+bug/1973033/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs