[Bug 1746047] Re: [MIR] argon2
** Changed in: argon2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746047 Title: [MIR] argon2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/argon2/+bug/1746047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746047] Re: [MIR] argon2
I reviewed argon2 version 0~20161029-1.1 as checked into bionic. This isn't a full security audit but rather a quick gauge of maintainability. Specifically I did not audit the implementation for correctness or cryptographic security. - argon2 is the winning entry in a recent "Password Hashing Competition", modeled after the AES and SHA-3 competitions, run by the open cryptography community. The intention is to make a new password hashing algorithm and key derivation function. - There are no CVEs in our database - This package provides command line utilities and library suitable for direct use. - argon2 does not daemonize - no pre/post inst/rm scripts - no initscripts - no systemd units - no dbus services - no setuid - argon2 application in PATH - no sudo fragments - no udev rules - a test suite is run during the build - no cronjobs - clean buildlogs - no subprocesses are spawned - memory management looked careful - No file IO - No environment variables - No privileged operations - Extensive cryptography - No networking - No privileged portions of code - No temporary files - No WebKit - No JavaScript - cppcheck has one false positive - No PolicyKit The API to use argon2 functions is more complicated than I'd like. Someone somewhere is going to misuse this thing because it's too complex. But the code quality was good. Security team ACK for promoting argon2 to main. Thanks ** Changed in: argon2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746047 Title: [MIR] argon2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/argon2/+bug/1746047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746047] Re: [MIR] argon2
now pre-promoted, to fix php uninstallability Override component to main argon2 0~20161029-1.1 in bionic: universe/misc -> main argon2 0~20161029-1.1 in bionic amd64: universe/utils/optional/100% -> main argon2 0~20161029-1.1 in bionic arm64: universe/utils/optional/100% -> main argon2 0~20161029-1.1 in bionic armhf: universe/utils/optional/100% -> main argon2 0~20161029-1.1 in bionic i386: universe/utils/optional/100% -> main argon2 0~20161029-1.1 in bionic ppc64el: universe/utils/optional/100% -> main argon2 0~20161029-1.1 in bionic s390x: universe/utils/optional/100% -> main libargon2-0 0~20161029-1.1 in bionic amd64: universe/libs/optional/100% -> main libargon2-0 0~20161029-1.1 in bionic arm64: universe/libs/optional/100% -> main libargon2-0 0~20161029-1.1 in bionic armhf: universe/libs/optional/100% -> main libargon2-0 0~20161029-1.1 in bionic i386: universe/libs/optional/100% -> main libargon2-0 0~20161029-1.1 in bionic ppc64el: universe/libs/optional/100% -> main libargon2-0 0~20161029-1.1 in bionic s390x: universe/libs/optional/100% -> main libargon2-0-dev 0~20161029-1.1 in bionic amd64: universe/libdevel/optional/100% -> main libargon2-0-dev 0~20161029-1.1 in bionic arm64: universe/libdevel/optional/100% -> main libargon2-0-dev 0~20161029-1.1 in bionic armhf: universe/libdevel/optional/100% -> main libargon2-0-dev 0~20161029-1.1 in bionic i386: universe/libdevel/optional/100% -> main libargon2-0-dev 0~20161029-1.1 in bionic ppc64el: universe/libdevel/optional/100% -> main libargon2-0-dev 0~20161029-1.1 in bionic s390x: universe/libdevel/optional/100% -> main libargon2-0-udeb 0~20161029-1.1 in bionic amd64: universe/debian-installer/optional/100% -> main libargon2-0-udeb 0~20161029-1.1 in bionic arm64: universe/debian-installer/optional/100% -> main libargon2-0-udeb 0~20161029-1.1 in bionic armhf: universe/debian-installer/optional/100% -> main libargon2-0-udeb 0~20161029-1.1 in bionic i386: universe/debian-installer/optional/100% -> main libargon2-0-udeb 0~20161029-1.1 in bionic ppc64el: universe/debian-installer/optional/100% -> main libargon2-0-udeb 0~20161029-1.1 in bionic s390x: universe/debian-installer/optional/100% -> main 25 publications overridden. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746047 Title: [MIR] argon2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/argon2/+bug/1746047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746047] Re: [MIR] argon2
Package looks good, it's a new project so not unusual not to have CVEs in Mitre. There's a team subscriber, package runs tests as part of the build, etc. This looks fine to me, but given that it is a package that would be used to handle keys in cryptsetup, this requires a security review. ** Changed in: argon2 (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746047 Title: [MIR] argon2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/argon2/+bug/1746047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746047] Re: [MIR] argon2
** Changed in: argon2 (Ubuntu) Status: New => Triaged ** Changed in: argon2 (Ubuntu) Status: Triaged => In Progress ** Changed in: argon2 (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746047 Title: [MIR] argon2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/argon2/+bug/1746047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
