[Summary] - MIR Team ack - needs no subscriber as it is part of mysql-8 which has the server Team subscribed already @Security - Security check of the subdir router/* requested @Server - While security is working on the review the server Team should try to enable the tests in router/test/* in either build or autopkgtest - should we add a service file or something or is this intentionally up to the users and/or the mentioned charms thereof? - d/copyright could get an update lintian yells about it all over the place
[Background] This is the request to review a new binary of a package otherwise already in main. But since the functionality wasn't in the source long ago when it was accepted and since functionally it is rather (security) critical a re-review was requested. Going forward it is important to understand that we are not (re-)reviewing all of mysql but the subdir router/* and its associated snippets in the build system and debian directory. [Duplication] There is no other package that provides the function of mysql-router. There are other DB-proxies like postgresql-12-pgpool2 mariadb maxscale, ... there is none for mysql yet and none in main. [Embedded sources and static linking] - no embedded libs - no golang [Security] - no history of CVEs - does not use webkit1,2 - does not use lib*v8 directly - does not processe arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Ok, but worth to look at: - while it does not run a daemon as root (we only provide the binary, no service) That still means for deployment people will have to use it in such a way or similar => https://dev.mysql.com/doc/mysql-router/8.0/en/mysql-router-general-using-deploying.html - while only redirecting instead of handling the requests it does parses data formats - it opens a port or sockets depending on setup - technically a proxy is itself a "man in the middle" so attacks like that get more attack surface to work with While being under the same strict coverage like mysql8 itself being part of the same source feels good I think this is worth a check by the security Team. [Common blockers] - builds fine atm - already has a bug subscriber - translations are not present (for this componentn) but it isn't user facing - not a python package, so no further checks on that needed Not perfect, but acceptable for now: - router has an own test section in the code at router/tests But I see none of them run at build or autopkgtest time: => https://launchpadlibrarian.net/452198941/buildlog_ubuntu-focal-amd64.mysql-8.0_8.0.18-0ubuntu3_BUILDING.txt.gz => https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-focal/focal/amd64/m/mysql-8.0/20191119_213042_010c3@/log.gz Adding that would be great for QA [Packaging red flags] - Ubuntu carries delta in general but nothing massive and nothing on router - it has a bunch of "internal" libs in /usr/lib/mysql-router/ not meant for external usage. While tracking symbols is nice in this case it isn't strictly required Also once bug 1845661 is fixed this is gone. - d/watch is ok - updates are regular including upstram minor releases and seucrity maintenance - it is up to date - src:mysql is maintained anyway already (no extra burden) - No critical massive Lintian warnings - d/rules isn't the cleanest, but ok for the complexity of the project - no Built-Using [Upstream red flags] - no build errors during the build - no incautious use of malloc/sprintf (in the new code) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no User nobody - no use of setuid - being a dependency of desktop packages mysql is known to have a lot of "non expert" bugs, but mysql-router will only be pulled in on more classic server deployments. Currently no important bugs (crashers, etc) in Debian or Ubuntu are blocking the router feature - no use of Dependency on webkit, qtwebkit, seed or libgoa-* - no Embedded source copies - not integrating to Unity Dash ** Changed in: mysql-8.0 (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852367 Title: [MIR] mysql-router (mysql-8.0) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1852367/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
