[Summary]
There are two pending questions that needs to be answered before getting the
MIR team ack. As those are quite minor, happy to pass the baton on to the
security team, but please, answer them before getting the final ACK.
Those are:
- was the change
debian/patches/0001-Disable-false-negative-DeepEqual-check.patch upstreamed? I
think we should understand why this is a False positive for us and not for them
in their environment (or they would have removed it). Making the patch DEP-3
compliant would be appreciated
- Out of interest, is there any reason to restrict to debhelper-compat (= 12)?
(and not >=), especially that there is no debian/compat.
As this daemon runs as root, it needs indeed a security review,
assigning right now to the security team.
Notes:
TODO: - add todos, issues or special cases to discuss
Required TODOs:
TODO - TBD
Recommended TODOs:
TODO - TBD
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this, everything vendored as discussed
above
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- build-deps are vendored as agreed above
- static linking as per Go
[Security]
OK:
- history of CVEs does not look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does open a port, but only on localhost
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- run a daemon as root, needs a security review then.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time. One distro-patch for remove 2
DeepEquals checks, asked for more details in the summary,
- test suite fails will fail the build upon error.
- does not have a test suite that runs as autopkgtest, but not needed due to
the nature of Go (rather a nice to ahve)
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- Go package that uses dh-golang
[Packaging red flags]
OK:
- Ubuntu packaged (not in Debian)1
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history does not have enough releases to be stated. It’s
several months behind upstream one now and could have been updated in august,
before FF, too late for groovy now.
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
-> out of interest, why debhelper is sticked exactly at version 12? Especially
as there is no debian/compat.
- Does have Built-Using
Go Package that follows the Debian Go packaging guidelines
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
** Changed in: google-osconfig-agent (Ubuntu)
Assignee: Didier Roche (didrocks) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1891934
Title:
[MIR] google-osconfig-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/1891934/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
