[Summary] MIR Team Ack, but please work on the tests to get working. It will need a security review, but gladly is a very very small codebase.
TODOs: - please continue to work on the tests to get them running mid term - I'll reach out in the MIR team meeting since this was almost a full self review. In case we decide we need another full review we will do so. [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats It doesn't really do much other than wrapping a complex kernel interface. But I/O always is somewhat security sensitive as people could manipulate the underlying data and/or devices in some way. Therefore I'd ask for a security review - gladly it is just 1680 lines of code and about half of it is a copy of a few kernel headers. So this should really be a quick reivew. [Common blockers] - does not FTBFS currently - does have a test suite that runs at build time - does have a test suite that runs as autopkgtest - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python package, no extra constraints to consider int hat regard - no new python2 dependency Problems: - test suite does not fail the build upon error. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is (rather new, good so far) - Debian/Ubuntu update history is (rather new, good so far) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - not using Built-Using - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (other than the tests just one) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Description changed: - Placeholder for full MIR template. + [Availability] + liburing is in universe in groovy at version 0.6-3 without Ubuntu Delta at the moment. + It builds for the Ubuntu architectures amd64, arm64, armhf, ppc64el, riscv64, s390x. - In the meantime, what prompted me to do this was that samba 4.12.x can - use liburing to build a vfs module, but samba-vfs-modules is in main. + [Rationale] + liburing can be used for advanced asynchronous IO in qemu (>=5), + samba (>=4.12.x) and probably more down the road. + - https://lwn.net/Articles/776703/ + - https://unixism.net/loti/ - That particular vfs module in samba 4.12.2 has a serious data corruption - bug[1], but it's being fixed. + Since groovy is the first step towards 22.04 I think it would be great to + enable liburing now and see how things behave and if/how they are further + adopted. - More data about uring, to add to this MIR in the reasoning section: - https://lwn.net/Articles/776703/ - https://unixism.net/loti/ + [Security] + + There was a CVE of the kernel side of the interface + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19241 + It is already handled and fixed in all Ubuntu releases: + https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19241.html + + So far nothing else came up, but generally I/O interfaces are a good place + to exploit so there is an elevated risk I guess. + + + [Quality assurance] + + The package has build time tests that are not yet working, so it ignores the + return value for now, but runs them to gather data. Mostly it seems permission + or kernel config errors. + + It also has autopkgtests but those also miss permissions. + + Note: I have forwarded an MP to Debian about the root permission at + build/test time. + + Further all seems ok: + - No debconf questions. + - No long-term outstanding bugs. + - The package is maintained well in Debian/Ubuntu (sync, no open bugs) + - The package does not deal with exotic hardware (just very recent kernels) + - The package uses a debian/watch file + - not using python(2) + - symbols tracking is in place + - lintian --pedantic is rather happy + + [UI standards] + + this has no end-user UI, so no translations seem needed. + + [Dependencies] + + No other dependencies than libc6. This really is just a path to the kernel + and does not need many other components. + + [Standards compliance] + - The package meets the FHS and Debian Policy standards. + - d/rules and d/control as small and well written + + [Maintenance] + + The Server team will subscribe for the package for maintenance + + [Background] + quote https://unixism.net/loti/ """ - io_uring is a powerful new way to do asynchronous I/O programming under Linux. Doing away with various limitations of previous generation I/O subsystems, io_uring holds immense promise. For more details on what io_uring brings to the table, please see the chapter What is io_uring?. + io_uring is a powerful new way to do asynchronous I/O programming under Linux. + Doing away with various limitations of previous generation I/O subsystems, + io_uring holds immense promise. For more details on what io_uring brings to + the table, please see the chapter What is io_uring?. """ - - 1. https://bugzilla.samba.org/show_bug.cgi?id=14361 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878006 Title: MIR: liburing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liburing/+bug/1878006/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
