[Summary] The package is in a very good shape, higher than most of the ones we review. I have few questions but no big blocker. I feel it would be still good for the security team (even if they already support it to some point) to have a second look before we promote it to main. Hopefully, as this is midly-supported already, that should be a quick pass.
Thanks for the detailed security and CVE analysis, including the vendored dependencies. Much appreciated :) Notes: Questions: - I think we should promote it once github.com/gogo/protobuf is fixed and an upload with the vendored updated dep is done. It seems to be fixed in 1.18.1+ds1-0ubuntu1, correct? - Same with github.com/prometheus/prometheus/, let’s wait then for the latest version of telegraf which isn’t impacted by it (do you have the version handy? Is it 1.18.1? and so, we can mark this as "DONE"?) - About the github.com/hashicorp/consul CVEs and fixes, do you have any ETA? I think we should wait for them to be fixed before the actual promotion (and this can give some time for the security team to assess the package again), wdyt? - You are patching the upstream service file in debian/patches/adjust-service-user.patch but still provides a service file in debian/telegraf.service. I didn’t see the later installed by any script, and so, it seems the debian/ one is not needed anymore. Do you mind having a look and clean that up? (Either removing the patch which is not needed if we don’t install the upstream one or the unused .service in debian/) Required TODOs: - Can you check and update debian/copyright please? Some years are not present, and copyright attribution are wrong (for instance vendor/honnef.co/* has some files "Copyright 2014 The Go Authors"). I think a second look would be good if you can ensure that everything is up to date. - The package is in the list of lto-disabled list (see https://launchpad.net/ubuntu/+source/lto-disabled-list). You need to fix or work-around it directly in the package. If you need an example for a go package disabling it (due to Go internals): https://github.com/ubuntu/adsys/blob/main/debian/rules#L11 [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: Go package, contains vendoring, but we already has some projects in main following this schema in Ubuntu, and so ok. [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does open a port, but unpriviledge - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - history of CVEs of dependencies (statically linked) have been detailed. Some were already addressed. See the question section on how we deal with the remaining one. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - Go package that uses dh-golang [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code, even if it has an internal plugin system, which is using Go interfaces. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far - no Lintian warnings - d/rules is rather clean - Go Package that follows the Debian Go packaging guidelines Problems: - is on the lto-disabled list. See required todo. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
