MIR Team Ack, but please work on the tests to get working.
It will need a security review, but gladly is a very very small codebase.

- please continue to work on the tests to get them running mid term
- I'll reach out in the MIR team meeting since this was almost a full
  self review. In case we decide we need another full review we will do so.

There is no other package in main providing the same functionality.

- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
- no embedded source present
- no static linking

- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

- does parse data formats

It doesn't really do much other than wrapping a complex kernel interface.
But I/O always is somewhat security sensitive as people could manipulate the
underlying data and/or devices in some way.
Therefore I'd ask for a security review - gladly it is just 1680 lines of code
and about half of it is a copy of a few kernel headers. So this should really
be a quick reivew.

[Common blockers]
- does not FTBFS currently
- does have a test suite that runs at build time
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency

- test suite does not fail the build upon error.

[Packaging red flags]
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is (rather new, good so far)
- Debian/Ubuntu update history is (rather new, good so far)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- not using Built-Using
- Does not have Built-Using

[Upstream red flags]
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (other than the tests just one)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks

** Description changed:

- Placeholder for full MIR template.
+ [Availability]
+ liburing is in universe in groovy at version 0.6-3 without Ubuntu Delta at 
the moment.
+ It builds for the Ubuntu architectures amd64, arm64, armhf, ppc64el, riscv64, 
- In the meantime, what prompted me to do this was that samba 4.12.x can
- use liburing to build a vfs module, but samba-vfs-modules is in main.
+ [Rationale]
+ liburing can be used for advanced asynchronous IO in qemu (>=5),
+ samba (>=4.12.x) and probably more down the road.
+ - https://lwn.net/Articles/776703/
+ - https://unixism.net/loti/
- That particular vfs module in samba 4.12.2 has a serious data corruption
- bug[1], but it's being fixed.
+ Since groovy is the first step towards 22.04 I think it would be great to
+ enable liburing now and see how things behave and if/how they are further
+ adopted.
- More data about uring, to add to this MIR in the reasoning section:
- https://lwn.net/Articles/776703/
- https://unixism.net/loti/
+ [Security]
+ There was a CVE of the kernel side of the interface
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19241
+ It is already handled and fixed in all Ubuntu releases:
+ https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19241.html
+ So far nothing else came up, but generally I/O interfaces are a good place
+ to exploit so there is an elevated risk I guess.
+ [Quality assurance]
+ The package has build time tests that are not yet working, so it ignores the
+ return value for now, but runs them to gather data. Mostly it seems permission
+ or kernel config errors.
+ It also has autopkgtests but those also miss permissions.
+ Note: I have forwarded an MP to Debian about the root permission at
+ build/test time.
+ Further all seems ok:
+ - No debconf questions.
+ - No long-term outstanding bugs.
+ - The package is maintained well in Debian/Ubuntu (sync, no open bugs)
+ - The package does not deal with exotic hardware (just very recent kernels)
+ - The package uses a debian/watch file
+ - not using python(2)
+ - symbols tracking is in place
+ - lintian --pedantic is rather happy
+ [UI standards]
+ this has no end-user UI, so no translations seem needed.
+ [Dependencies]
+ No other dependencies than libc6. This really is just a path to the kernel
+ and does not need many other components.
+ [Standards compliance]
+ - The package meets the FHS and Debian Policy standards.
+ - d/rules and d/control as small and well written
+ [Maintenance]
+ The Server team will subscribe for the package for maintenance
+ [Background]
+ quote https://unixism.net/loti/
- io_uring is a powerful new way to do asynchronous I/O programming under 
Linux. Doing away with various limitations of previous generation I/O 
subsystems, io_uring holds immense promise. For more details on what io_uring 
brings to the table, please see the chapter What is io_uring?.
+ io_uring is a powerful new way to do asynchronous I/O programming under Linux.
+ Doing away with various limitations of previous generation I/O subsystems,
+ io_uring holds immense promise. For more details on what io_uring brings to
+ the table, please see the chapter What is io_uring?.
- 1. https://bugzilla.samba.org/show_bug.cgi?id=14361

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  MIR: liburing

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to