[Bug 1960864] Re: [MIR] plocate
** Changed in: ubuntu-release-notes Assignee: (unassigned) => Nick Rosbrook (enr0n) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
For the small but existing incompatibilities I think it would be great to have an entry in the release notes [1] about this. Added a bug task to reflect that. [1]: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
Thank you Steve. So we do not have to revert back to mlocate and I think we can mark this as "Fix Released" as the change already happened before we realized a security review is needed (see comment #4). ** Changed in: plocate (Ubuntu Jammy) Status: New => Fix Released ** Also affects: ubuntu-release-notes Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. plocate is a locate implementation based on posting lists and io_uring, intended as a drop-in replacement for mlocate. - No CVE History. - Build-Depends on liburing and libzstd - The pre/post inst/rm scripts adds a plocate group, sets up alternatives to place it as the locate, and sets up the systemd timer. Things are cleaned up in the pre/post-rm scripts. - No init scripts. - One systemd timer and service to run updatedb - No dbus services - No setuid binaries, plocate binary is setgid. - binaries in PATH: plocate, plocate-build, and updatedb.plocate - No sudo fragments - No polkit files - No udev rules - test - no unit or other build-time tests - autopkgtests: a basic test plus a more complex test that tests visibility across differing users. - One cron job that exits immediately because systemd timers are available. - No build warnings or errors, lintian with one minor warning: command-with-path-in-maintainer-script - No processes spawned. - Memory management is okay, generally uses C++ style allocations / deallocations. - File IO is mostly performed on static names or parsed out of /proc/self/mountinfo. The exception is the db argument to plocate; however, if alternate db files are passed, a child process that drops privilege is forked to search the passed db file. - Logging is mostly done by perror, and is done safely. - Environment variable usage is okay. - Privileged functions (setgid) are used to drop privs and are okay (returned errors are checked for). - No use of cryptography / random number sources. - Sole use of temp files in database-builder is okay, uses O_TMPFILE if available. - No use of networking. - No use of WebKit. - No use of PolicyKit. - No significant cppcheck results. - No significant Coverity results, a couple of issues that could possibly warrant further investigation. Recommend upstream project make use of the public https://scan.coverity.com service. Code generally feels modern and readable. Security team ACK for promoting plocate to main. ** Changed in: plocate (Ubuntu Jammy) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
** Changed in: plocate (Ubuntu Jammy) Assignee: Canonical Security Team (canonical-security) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
** Changed in: plocate (Ubuntu Jammy) Milestone: ubuntu-22.04 => ubuntu-22.04-beta -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
** Description changed: [Availability] The package plocate is already in Ubuntu universe. The package plocate builds for the architectures it is designed to work on. It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, s390x Link to package [[https://launchpad.net/ubuntu/+source/plocate|plocate]] [Rationale] - The package plocate will generally be useful for a large part of - our user base + our user base - Package plocate covers the same use case as mlocate, but is better - because it is a faster implementation. From the package description: - "plocate is a locate(1) based on posting lists, giving much faster - searches on a much smaller index. It is a drop-in replacement for mlocate in - nearly all aspects, and is fast on SSDs and non-SSDs alike." + because it is a faster implementation. From the package description: + "plocate is a locate(1) based on posting lists, giving much faster + searches on a much smaller index. It is a drop-in replacement for mlocate in + nearly all aspects, and is fast on SSDs and non-SSDs alike." - Additional reasons: Debian has removed mlocate in favor of plocate. [Security] - No CVEs/security issues in this software in the past - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plocate - https://ubuntu.com/security/cve?package=plocate - - no `suid` or `sgid` binaries + http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plocate + https://ubuntu.com/security/cve?package=plocate + - /usr/bin/plocate binary is sgid - There are binaries in sbin - /usr/sbin/plocate-build - /usr/sbin/updatedb.plocate + /usr/sbin/plocate-build + /usr/sbin/updatedb.plocate - Package does install services, timers or recurring jobs - /lib/systemd/system/plocate-updatedb.service - /lib/systemd/system/plocate-updatedb.timer + /lib/systemd/system/plocate-updatedb.service + /lib/systemd/system/plocate-updatedb.timer - $ cat /lib/systemd/system/plocate-updatedb.service - [Unit] - Description=Update the plocate database - ConditionACPower=true + $ cat /lib/systemd/system/plocate-updatedb.service + [Unit] + Description=Update the plocate database + ConditionACPower=true - [Service] - Type=oneshot - ExecStart=/usr/sbin/updatedb.plocate - LimitNOFILE=131072 - IOSchedulingClass=idle + [Service] + Type=oneshot + ExecStart=/usr/sbin/updatedb.plocate + LimitNOFILE=131072 + IOSchedulingClass=idle - PrivateTmp=true - PrivateDevices=true - PrivateNetwork=true + PrivateTmp=true + PrivateDevices=true + PrivateNetwork=true - $ cat /lib/systemd/system/plocate-updatedb.timer - [Unit] - Description=Update the plocate database daily + $ cat /lib/systemd/system/plocate-updatedb.timer + [Unit] + Description=Update the plocate database daily - [Timer] - OnCalendar=daily - RandomizedDelaySec=12h - AccuracySec=20min - Persistent=true + [Timer] + OnCalendar=daily + RandomizedDelaySec=12h + AccuracySec=20min + Persistent=true - [Install] - WantedBy=timers.target + [Install] + WantedBy=timers.target - Packages does not open privileged ports (ports < 1024) - Packages does not contain extensions to security-sensitive software - (filters, scanners, plugins, UI skins, ...) + (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install. One must run - `updatedb` after install to do initial indexing, and can -then easily use `locate`. + `updatedb` after install to do initial indexing, and can + then easily use `locate`. [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu and has not too many - and long term critical bugs open - - Ubuntu https://bugs.launchpad.net/ubuntu/+source/plocate/+bug - - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=plocate + and long term critical bugs open + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/plocate/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=plocate - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time. - The package runs an autopkgtest, and is currently passing on - amd64, arm64, armhf, ppc64el, s390x: https://autopkgtest.ubuntu.com/packages/plocate + amd64, arm64, armhf, ppc64el, s390x: https://autopkgtest.ubuntu.com/packages/plocate - The package does have failing autopkgtests tests right now on i386, - but this package is not supported for i386 + but this package is not supported for i386 [Quality assurance - packaging] - debian/watch is not present - This package does not yield massive lintian Warnings, Errors - $ lintian --pedantic -I - I: plocate source: debian-watch-file-is-missing - I: plocate
[Bug 1960864] Re: [MIR] plocate
Yes, we should have this for the LTS. ** Also affects: plocate (Ubuntu Jammy) Importance: Undecided Assignee: Canonical Security Team (canonical-security) Status: New ** Changed in: plocate (Ubuntu Jammy) Milestone: None => ubuntu-22.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
Uptream informed us that the initial MIR description wrongly that there are no sgid binaries, but /usr/bin/plocate is sgid plocate. I think this warrant then a security review. @enr0n: do you need for this LTS release? If so, please target it to mention that to the security team. If the security team doesn’t have the bandwidth to deal with it before beta, we will then need to revert this to the previous state, being mlocate. ** Changed in: plocate (Ubuntu) Status: Fix Released => New ** Changed in: plocate (Ubuntu) Assignee: (unassigned) => Canonical Security Team (canonical-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
** Tags added: fr-2074 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
Override component to main plocate 1.1.15-1ubuntu2 in jammy: universe/misc -> main mlocate 1.1.15-1ubuntu2 in jammy amd64: main/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy arm64: main/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy armhf: main/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy i386: main/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy ppc64el: main/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy riscv64: main/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy s390x: main/utils/optional/100% -> main plocate 1.1.15-1ubuntu2 in jammy amd64: universe/utils/optional/100% -> main plocate 1.1.15-1ubuntu2 in jammy arm64: universe/utils/optional/100% -> main plocate 1.1.15-1ubuntu2 in jammy armhf: universe/utils/optional/100% -> main plocate 1.1.15-1ubuntu2 in jammy ppc64el: universe/utils/optional/100% -> main plocate 1.1.15-1ubuntu2 in jammy riscv64: universe/utils/optional/100% -> main plocate 1.1.15-1ubuntu2 in jammy s390x: universe/utils/optional/100% -> main mlocate 1.1.15-1ubuntu2 in jammy amd64 remained the same mlocate 1.1.15-1ubuntu2 in jammy arm64 remained the same mlocate 1.1.15-1ubuntu2 in jammy armhf remained the same mlocate 1.1.15-1ubuntu2 in jammy i386 remained the same mlocate 1.1.15-1ubuntu2 in jammy ppc64el remained the same mlocate 1.1.15-1ubuntu2 in jammy riscv64 remained the same mlocate 1.1.15-1ubuntu2 in jammy s390x remained the same 7 publications overridden; 7 publications remained the same. ** Changed in: plocate (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
The Required TODO listed has been fixed in proposed; the bug is still open because the package won't migrate until the package has been promoted to main, to fix the component mismatch. I'm therefore marking this bug 'fix committed' per my understanding of the MIR team's intent, to unblock that process. ** Changed in: plocate (Ubuntu) Status: Incomplete => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
I have created a bug [1], and provided a patch, to address the TODO regarding binary content in obj-x86_64-linux-gnu/. [1] https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1961266 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
Review for Package: plocate [Summary] MIR team ACK, given the Required TODO is fixed, as it seems like a potential big issue to me. Notes: Required TODOs: - The source package can include binary content in obj-x86_64-linux-gnu/. Those builds artefacts are included .exe and .o files. They are not present by default on the source package, but nothing prevents really to accidentally include them. I think it’s necessary to fix this and ensure we don’t embeed them in our source files, as those are arch-dependant, binary code results which would potentially override the one during the build due to a more recent timestamp. [Duplication] This is a replacement of mlocate in main which provided the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - checked with check-mir - not listed in seeded-in-ubuntu - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) [Common blockers] OK: - does not FTBFS currently - does have a non-trivial test suite that runs as autopkgtest - no new python2 dependency Problems: - does not have a test suite that runs at build time. However, some autopkgtests are presents which covers then it. [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - d/watch is not present, but not needed - Upstream update history is good (upstream is debian) - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list Problems: - The source package can include binary content in obj-x86_64-linux-gnu/. Those builds artefacts are included .exe and .o files. They are not present by default on the source package, but nothing prevents really to accidentally include them. I think it’s necessary to fix this and ensure we don’t embeed them in our source files, as those are arch-dependant, binary code results which would potentially override the one during the build due to a more recent timestamp. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case ** Changed in: plocate (Ubuntu) Status: New => Fix Committed ** Changed in: plocate (Ubuntu) Assignee: Didier Roche (didrocks) => (unassigned) ** Changed in: plocate (Ubuntu) Status: Fix Committed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
** Changed in: plocate (Ubuntu) Assignee: (unassigned) => Didier Roche (didrocks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
