Thanks for the thorough pre-check and report Andreas.
Here my MIR review:
[Summary]
The package seems reasonable maintained and also ok in general.
The only security exposure that came up is that it is read/writing data formats.
That alone would not yet make it very security sensitive.
But the fact that this is - if at all - used is used in more enterpris'y context
makes that data write/read important.
I think the general rule applies here to be on the side of caution - therefore
I'd ask for a security review of it.
While that is going on:
1. please sort out the future Team subscriber as well.
Even if subscribing late, please state here who it will be once known.
2. Personally I don't need d/watch files too much, but the process requires it.
Please could you check to get a d/watch file added against the github
project?
--- Detail ---
[Duplication]
There is no duplicate function in the Archive
[Embedded sources and static linking]
OK are:
- no embedded sources
- no static linking
- no golang
[Security]
OK are:
- no history of CVEs
- does not use webkit1,2
- does not use lib*v8 directly
- does not processes arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not run a daemon as root
- does not open a port
Although it
- does parse data formats (mostly read/write on disk metadata)
[Common blockers]
OK are:
- no FTBFS currently
- test suite runs at build time
- no python code to check
Although it:
- does not yet have a team bug subscriber
Before this can be completed someone has to step up, given that LVM2 is
Foundations and the last uploads/modifications as well I assume they will
take it.
But that has to happen before promotion.
[Packaging red flags]
OK are:
- Ubuntu has a Delta for a Ubuntu specific (as needed) build error (ok)
- no libraries shipped
- update history is nothe most active one but seems ok
- Debian maintenance is a bit unclear (see description), but active enough
- no MOTU only case
- Lintian warnings are a lot (cleanup would be nice), but no critical ones
- d/rules is rather clean
- not using Built-Using
- no golang
Although it:
- does not have a watch file
- the current release is not yet packaged, but that is just 3 weeks old
(ok for now)
[Upstream red flags]
- a few "may be used uninitialized" and "suggest explicit braces" warnign,
but no error
use of malloc/sprintf seems ok
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user "nobody"
- no setuid
- no known critical bugs
- there is one data corruption upstream, but badly filed and lack of info
- no Dependency on webkit, qtwebkit, seed or libgoa-*
- no Embedded source copies
- not part of the scope for the Unity Dash and its privacy settings
** Changed in: thin-provisioning-tools (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1828887
Title:
[MIR] thin-provisioning-tools
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thin-provisioning-tools/+bug/1828887/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
