Public bug reported: [ Availability ]
The telegraf package has been part of Ubuntu's universe repository since Groovy. It successfully builds and the tests pass on all supported architectures: amd64, arm64, armhf, ppc64el, riscv64 and s390x. [ Rationale ] Telegraf is part of a suite of programs referred to as LMA (Logging, Monitoring and Alert). It is responsible for the Logging; prometheus, prometheus-alertmanager and grafana are the other components of this solution. We, the Ubuntu Server team, have been maintaining the package for the last several months, and we now would like to proceed with the MIR process for it. The telegraf package is being used as the building block of the equivalent telegraf OCI image (see https://hub.docker.com/repository/docker/ubuntu/telegraf), which is an official image provided and supported by Canonical. It is important to also note that the security team is already providing tracking and notification of potential vulnerabilities and CVEs on this OCI image, which means that, indirectly, the Ubuntu telegraf package is already being treated more or less as a main package. [ Security ] Unfortunately, due to the large number of unpackaged Golang dependencies, it was not possible to package telegraf in Debian first and then sync it to Ubuntu. For this reason, the Ubuntu telegraf package contains hundreds of vendorized Golang dependencies inside its orig tarball. I could not find any CVEs for telegraf itself on http://cve.mitre.org/ (the only thing I found was related to telegraf's official OCI image, which does not apply to this MIR). While analysing the Golang dependencies, I have found the following CVEs: - For github.com/dgrijalva/jwt-go/v4: https://nvd.nist.gov/vuln/detail/CVE-2020-26160 This vulnerability does not affect the current version that is in Hirsute/Impish. - For github.com/gogo/protobuf: https://nvd.nist.gov/vuln/detail/CVE-2021-3121 This vulnerability is being addressed at the time of this writing, both by upstream and by us. - For github.com/hashicorp/consul: https://nvd.nist.gov/vuln/detail/CVE-2020-7219 https://nvd.nist.gov/vuln/detail/CVE-2018-19653 https://nvd.nist.gov/vuln/detail/CVE-2020-28053 https://nvd.nist.gov/vuln/detail/CVE-2020-13250 These vulnerabilities do affect the current version in Hirsute/Impish, but they are not trivial to fix and we are working with upstream to address them. - For github.com/prometheus/prometheus/ https://nvd.nist.gov/vuln/detail/CVE-2019-3826 These vulnerability does affect the current version in Hirsute/Impish, but it is not trivial to fix and we are working with upstream to address it. [ Quality Assurance ] - The package is installed with a reasonable configuration file and a proper systemd service. - It does not ask any debconf questions during installation. - There are no long-term outstanding bugs that affect the usability of the program. - The package is not available in Debian, so there is no bug there. - The only bug opened against the Ubuntu telegraf package right now is the one dealing with CVE-2021-3121. - The package is well-maintained in Ubuntu by the Ubuntu Server team. - The package does not deal with exotic hardware that is not supported by Ubuntu. It does offer probes and code to deal with some optional hardware that may be installed in the user's computer, but by default this support is disabled in the configuration file. - The package ships with a test suite which is executed during build-time and passes on all supported architectures. It also ships with a simple dep8 test. - The package provides a debian/watch file. - The package is lintian-free (including with --pedantic). [ UI standards ] N/A [ Dependencies ] As it is a Golang package, the telegraf binary is statically compiled and doesn't depend on anything else other than libc6. The only extra dependency that was added (due to the postinst script) is adduser, which is also in main. [ Standards compliance ] The package follows FHS and Debian Policy standards to the maximum extent. The only clear violation to the policy, as mentioned above, is the fact that all Golang modules are vendorized (bundled) in the source package. Otherwise, everything else follows the standards. [ Maintenance ] The telegraf package has already been maintained by the Ubuntu Server team, and this will continue to apply. [ Background information ] We are still considering and discussing whether it makes sense to pursue an SRU exception for MRE applicable to telegraf. We are trying to gather more information from our userbase in order to determine whether they would be benefited from having a newer telegraf package in a stable release, and what the implications of that would be. ** Affects: telegraf (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
