[Summary] MIR Team Ack to src:libbpf This does not need a security review IMHO, but as outlined below I'd want security to quickly ACK on that decision - assigning to Seth (security MIR Team member) for that. List of specific binary packages to be promoted to main: libbpf0
Required TODOs: - None Recommended TODOs: - Add build and/or autopkgtest tests to the package to spot issues early [Duplication] There is no other package in main providing the same functionality. Some packages that formerly had libbpf code slowly migrate to this lib. But that isn't duplication it is the right thing to do. [Dependencies] OK: - no other Dependencies to MIR due to this - -dev package will be auto-promoted, but all it's deps are ok as well [Embedded sources and static linking] - no embedded source present (this is in fact used to un-embed some in other pkg) - no static linking [Security] OK: - history of CVEs does not look concerning No issues on the lib yet, but the kernel backend has some (as one would expect for such a dynamic interface) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bpf - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does not parse data formats, but no externally controlled ones I'm unsure if this needs a security review. They are currently rather busy with those and this package does replace code that was worse in iproute2 (pulling it into main). Since this is driven and in a lot of use by the bigger kernel community as well as Debian jumping onto this for Buster I think while I'd appreciate a review we don't strictly need it here as we are replacing better code. Also the new iproute needs to go along kernel 5.10 which just appeared in 21.04 so the runway is short. But I'll want security to do a 5-10 minute read of that reasoning and the code to agree to that decision. If they do we can go on promoting this immediately. If security decides that a full review is needed it will go their way as usual. [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider int hat regard - no new python2 dependency Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest Gladly that is somewhat covered by the upstream travis tests. None of the few but growing dependencies has higher level tests yet. This isn't a blocker since this is "just" the lib but certainly a step that would be recommended to the owning team to add. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is good, but it is yet rather new - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: libbpf (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910576 Title: [MIR] libbpf (dependency of iproute2) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1910576/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
