[Summary] This package needs some cleanup for better tests, symbols tracking and things like lintian/dh_missing. No show stoppers thou, MIR Team kind-of-Ack under the condition to try to improve these weak spots before promotion. Please report here what has been done for that and summarize the new and improved state of warnings and bugs to reduce concerns to get the final MIR Ack.
While the above isn't a full Ack yet it isn't too bad either. We don't have to wait and block on it atm, this does needs a security review, so I'll assign ubuntu-security now already. Secuity manages MIR reviews via the subscription, to reflect that work is needed in any case I'll set the state to incomplete also. To be promoted to main: opensc + opensc-pkcs11 Required TODOs: - some testing for the overall topic of smartcard usage as outlined in the ccid review - subscribe a team to the bug (better now than later) - plenty of libs, some seem internal, but still - please add symbols tracking where applicable to detect incompatibilities early - check and resolve dh_missing - too many crash bugs left, please do a bug squash and help to improve quality. Also see the suggestions below of "splitting the package" and "defined set of supported cards" to make this more manageable Recommended TODOs: - The tests at build time skip 3/4 subtests. Please evaluate if that can be improved. - This package consists of many small tools, supporting (and thereby testing, recreating issues, ...) all of them can be hard. For supportability and install footprint it could be useful to check all these binaries and split some of them into an -extra package that will not be promoted. [Duplication] PKCS#15 card support providing PKCS#11 to the upper layers is the core piece of opensc, this is the only SW doing that in the archive - no duplication. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning (many CVEs), but under control (all closed) - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop Problems: - does parse data formats (from/to cards pkcs#15 and from/to higher layers pkcs#11) - does deal with system authentication (eg, pam), etc) pam-pkcs#11 is directly involved with auth => It will need a security review [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider in that regard - no new python2 dependency Problems: - the self tests it has at build time are mostly skipped - does have a test suite that runs as autopkgtest (as discussed in ccid) - The package has a team bug subscriber Do it early please! [Packaging red flags] OK: - Ubuntu does not carry a delta - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - d/rules is rather clean - Does not have Built-Using Problems: - symbols tracking is not in place (some libs are reported without version at all - but that might be internal only libs) W: opensc-pkcs11: shared-library-lacks-version usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so onepin-opensc-pkcs11.so W: opensc-pkcs11: shared-library-lacks-version usr/lib/x86_64-linux-gnu/opensc-pkcs11.so opensc-pkcs11.so W: opensc-pkcs11: shared-library-lacks-version usr/lib/x86_64-linux-gnu/pkcs11-spy.so pkcs11-spy.so - no massive Lintian warnings A few (see above) and in addition some dh_missing and missing man page warnings that should be looked after. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks Problem: - many open bugs (even crashers, etc) in Debian or Ubuntu https://bugs.launchpad.net/ubuntu/+source/opensc https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=opensc There are plenty of bugs even segfaults, and from reading through them it might come back to what I predicted with the problem of various hardware. Again it might be worth to split the package and support&promotr only a subset. Also again please consider declaring somewhere formally a defined set of "supported cards" that you can really repro and test (on top of the promotion) ** Changed in: opensc (Ubuntu) Status: New => Incomplete ** Changed in: opensc (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite Status in ccid package in Ubuntu: New Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: New Status in pcsc-lite package in Ubuntu: New Status in pcsc-perl package in Ubuntu: New Status in pcsc-tools package in Ubuntu: New Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems funny all the same. Otherwise appears to satisfy FHS and Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] Dependency of pcsc-tools; this library provides an API to work with smart cards and card readers. ==> opensc <== [Availability] Both opensc and opensc-pkcs11 In universe, builds for all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] 26 CVEs in our database. None open in groovy. No privileged executables. Does not appear to bind to sockets. Probably needs a security review. [Quality assurance] Unknown configuration effort. No debconf questions. Several recent Ubuntu bugs ask for updates to newer versions for bugfixes. A recent Debian bug reports a FTBFS, includes a fix, and has been ignored for months. Does require odd hardware that we'll probably need to buy. Includes a test suite, most of which is skipped; unknown quality, looks like a bit more than usual smoke testing. Includes a debian/watch file. Handful of small lintian warnings. Quilt packaging. [Dependencies] Recommends: pcscd from universe [Standards compliance] Appears to follow FHS, Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] Provides a pkcs#11 library for interacting with many models of smartcards. ==> pcsc-tools <== [Availability] Built in groovy for all architectures [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database for pcsc-tools. Doesn't appear to bind to sockets. No privileged executables. Probably needs a security review. [Quality assurance] It looks like it works out of the box. No debconf questions. One bug in Ubuntu, it doesn't make much sense. No bugs in Debian. Looks to be regularly updated in Debian. Does require odd hardware that we'll probably need to buy. Doesn't look like it includes a test suite. Includes a debian/watch file. Very short lintian --pedantic output. Quilt packaging. [Dependencies] Depends upon libpcsclite1, libpcsc-perl, libgtk3-perl. libpcsc-perl is in universe. [Standards compliance] Appears to adhere to FHS, Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This package provides general utilities for smartcards; it's possible that we do not strictly need this package for our use case. ==> libpcsclite1 <== [Availability] pcsc-lite is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] Five CVEs for pcsc-lite are listed in our database. Doesn't appear to bind to a socket. No executables, only a library. Probably needs a security review. [Quality assurance] There is a testpcsc.c file that is compiled but I don't know how to use it for tests. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. pcsc-lite is well maintained in Debian by upstream author. There are a handful of open bugs in Debian, the author was very repsonsive on the hndful I inspected, it looks like some cases of misunderstood capabilities, cases of conflicting requirements, etc. Nothing looked concerning: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=pcsc-lite The most recent Ubuntu bugs are due to (a) 14.04 systemd problems (b) errors from drivers assigned to the wrong package (c) probably due to use of insserv rather than plain systemd: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bugs?orderby=-id&start=0 Nothing looked concerning. Has a debian/watch file. Quilt packaging. P: pcsc-lite source: no-dep5-copyright P: pcsc-lite source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] libpcsclite1 depends upon libc6. [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] libpcsclite1 provides windows smart-card API to interact with smart card readers. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
