** Description changed: - placeholder for MIR - - - frr has its roots in quagga - - quagga is unmaintained upstream: + [Availability] + The package frr is already in Ubuntu universe. + The package builds for the architectures it is designed to work on. + It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, s390x, riscv64 + Link to package: https://launchpad.net/ubuntu/+source/frr + + [Rationale] + frr is a fork and replacement for quagga, which is what we have in main but is unmaintained by upstream. + About quagga: - we have been carrying the same version since bionic - upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git) - git mirror at https://github.com/Quagga/quagga shows last commit in 2018 (https://github.com/Quagga/quagga - mailing lists have crickets (https://lists.quagga.net/pipermail/quagga-users/, https://lists.quagga.net/pipermail/quagga-dev/) The proposal is to demote quagga, and promote ffr, for jammy. - I'll do the initial MIR evaluation, and thus assign this bug to me. Once - the MIR template is filled out, I'll mark this bug as NEW again and - unassigned. + [Security] + http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=frr + 4 CVEs in older versions (jammy has 8.1) + CVE-2017-15865 - information leak + CVE-2017-5495 - DoS due to memleak + CVE-2019-5892 - DoS + CVE-2020-12831 - (disputed) info leak via an initially empty world readable config file + + site:www.openwall.com/lists/oss-security frr + 0 hits (the single hit was for the "frr" string in a pgp signature) + + Ubuntu: + https://ubuntu.com/security/cve?q=frr&package=&priority=&version=&status= + https://ubuntu.com/security/CVE-2020-12831 needs triage: (disputed) info leak via an initially empty world readable config file + https://ubuntu.com/security/CVE-2017-5495 only affected quagga in ubuntu it seems + + - no `suid` or `sgid` binaries + - no executables in `/sbin` and `/usr/sbin` + - Package installs services: + /lib/systemd/system/frr.service + + Right after installation, one daemon runs as root, the other two as "frr": + root 32148 0.0 0.0 7960 2892 ? Ss 14:02 0:00 /usr/lib/frr/watchfrr -d -F traditional zebra staticd + frr 32161 0.0 0.0 242848 7000 ? Ssl 14:02 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 + frr 32166 0.0 0.0 9256 3608 ? Ss 14:02 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1 + + Many more can be run depending on configuration, though. Default list in /etc/frr/daemons: + bgpd=no + ospfd=no + ospf6d=no + ripd=no + ripngd=no + isisd=no + pimd=no + ldpd=no + nhrpd=no + eigrpd=no + babeld=no + sharpd=no + pbrd=no + bfdd=no + fabricd=no + vrrpd=no + pathd=no + + If all are enabled, we get this by default: + frr 1033 0.0 0.0 1722872 9648 ? Ssl 14:42 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 + frr 1038 0.0 0.0 173100 9108 ? Ssl 14:42 0:00 /usr/lib/frr/bgpd -d -F traditional -A 127.0.0.1 + frr 1045 0.0 0.0 9916 4192 ? Ss 14:42 0:00 /usr/lib/frr/ripd -d -F traditional -A 127.0.0.1 + frr 1048 0.0 0.0 9660 3832 ? Ss 14:42 0:00 /usr/lib/frr/ripngd -d -F traditional -A ::1 + frr 1051 0.0 0.0 11852 4900 ? Ss 14:42 0:00 /usr/lib/frr/ospfd -d -F traditional -A 127.0.0.1 + frr 1054 0.0 0.0 10828 4632 ? Ss 14:42 0:00 /usr/lib/frr/ospf6d -d -F traditional -A ::1 + frr 1057 0.0 0.0 11540 4884 ? Ss 14:42 0:00 /usr/lib/frr/isisd -d -F traditional -A 127.0.0.1 + frr 1060 0.0 0.0 9388 3532 ? Ss 14:42 0:00 /usr/lib/frr/babeld -d -F traditional -A 127.0.0.1 + frr 1063 0.0 0.0 11540 5088 ? Ss 14:42 0:00 /usr/lib/frr/pimd -d -F traditional -A 127.0.0.1 + frr 1071 0.0 0.0 9692 5380 ? S 14:42 0:00 /usr/lib/frr/ldpd -L -u frr -g frr + frr 1072 0.0 0.0 9520 5376 ? S 14:42 0:00 /usr/lib/frr/ldpd -E -u frr -g frr + frr 1074 0.0 0.0 10288 3652 ? Ss 14:42 0:00 /usr/lib/frr/ldpd -d -F traditional -A 127.0.0.1 + frr 1078 0.0 0.0 9968 3652 ? Ss 14:42 0:00 /usr/lib/frr/nhrpd -d -F traditional -A 127.0.0.1 + frr 1082 0.0 0.0 9812 4000 ? Ss 14:42 0:00 /usr/lib/frr/eigrpd -d -F traditional -A 127.0.0.1 + frr 1085 0.0 0.0 9232 3376 ? Ss 14:42 0:00 /usr/lib/frr/pbrd -d -F traditional -A 127.0.0.1 + frr 1088 0.0 0.0 9204 3136 ? Ss 14:42 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1 + frr 1091 0.0 0.0 9496 3596 ? Ss 14:42 0:00 /usr/lib/frr/bfdd -d -F traditional -A 127.0.0.1 + frr 1094 0.0 0.0 10460 4052 ? Ss 14:42 0:00 /usr/lib/frr/fabricd -d -F traditional -A 127.0.0.1 + frr 1097 0.0 0.0 9256 3472 ? Ss 14:42 0:00 /usr/lib/frr/vrrpd -d -F traditional -A 127.0.0.1 + frr 1101 0.0 0.0 9600 3728 ? Ss 14:42 0:00 /usr/lib/frr/pathd -d -F traditional -A 127.0.0.1 + + + - Packages does not open privileged ports (ports < 1024) + The above daemons all listen on unprivileged high ports for the vty interface, but might open privileged ports once configured properly. For example, the RIP routing protocol uses 520/UDP. + + - Packages does not contain extensions to security-sensitive software + No. But one could argue that routing is security sensitive. + + [Quality assurance - function/usage] + - The package works well right after install + That being said, routing is very site specific. While all the daemons start and run if so requested, definitely some configuration will be needed for them to be useful. + + [Quality assurance - maintenance] + - The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open + There are just two open bugs in Ubuntu, filed by me: https://bugs.launchpad.net/ubuntu/+source/frr + - one is this MIR + - the other is LP: #1958162, which I found after trying the package out. I think this one must be fixed, because logging is important. + + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=frr + I would like to highlight this one: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000032: depends on obsolete pcre3 library + The current 8.1-1 upload has a build-depends on libpcre2-dev, replacing libpcre3-dev, so maybe it was fixed. Needs to be checked, as I tried some apt-cache show grepping for pcre and couldn't find any. + + - Upstream: https://github.com/FRRouting/frr/issues + Many open and closed bugs, as expected from a busy project. I tried looking for serious ones, but didn't find obvious ones in the first few pages. Going through labels, there wasn't any indicating severity. Using the "security" label returned just one open issue, which might be a corner case and has some technical discussion: + https://github.com/FRRouting/frr/issues/8728 + + [Quality assurance - testing] + - The package runs a test suite on build time, if it fails + it makes the build fail, link to build log <TBD> + The build runs a test suite. Last build in jammy: + ============================= test session starts ============================== + platform linux -- Python 3.9.8, pytest-6.2.5, py-1.10.0, pluggy-0.13.0 -- /usr/bin/python3 + cachedir: .pytest_cache + rootdir: /<<PKGBUILDDIR>>/tests, configfile: pytest.ini + collecting ... collected 440 items + + bgpd/test_aspath.py::TestAspath::test_exit_cleanly PASSED [ 0%] + bgpd/test_aspath.py::TestAspath::test_seq1 PASSED [ 0%] + bgpd/test_aspath.py::TestAspath::test_seq2 PASSED [ 0%] + bgpd/test_aspath.py::TestAspath::test_seq3 PASSED [ 0%] + bgpd/test_aspath.py::TestAspath::test_seqset PASSED [ 1%] + bgpd/test_aspath.py::TestAspath::test_seqset2 PASSED [ 1%] + (...) + Link: https://launchpadlibrarian.net/568804185/buildlog_ubuntu-jammy-amd64.frr_8.1-1_BUILDING.txt.gz + + There is no dh_auto_test override. I patched a random test to fail, and the build fail accordingly: + self = <test_aspath.TestAspath object at 0x7f6f7bd740a0> + line = 'basic 4-byte as-path' + okfail = re.compile(b'^(?:\\x1b\\[3[12]m)?(?P<ret>OK|failed)', re.MULTILINE) + + def _okfail(self, line, okfail=re_okfail): + self._onesimple(line) + + m = okfail.search(self.output) + if m is None: + raise MultiTestFailure("OK/fail not found") + self.output = self.output[m.end() :] + + if m.group("ret") != "OK".encode("utf8"): + > raise MultiTestFailure("Test output indicates failure") + E frrtest.MultiTestFailure: Test output indicates failure + + helpers/python/frrtest.py:160: MultiTestFailure + ---- generated xml file: /home/ubuntu/git/packages/frr/frr/tests/tests.xml ----- + =========================== short test summary info ============================ + FAILED bgpd/test_aspath.py::TestAspath::test_exit_cleanly - frrtest.MultiTest... + FAILED bgpd/test_aspath.py::TestAspath::test_basic_4_byte_as_path - frrtest.M... + ================== 2 failed, 433 passed, 5 skipped in 16.40s =================== + make[1]: *** [Makefile:15534: tests/tests.xml] Error 1 + make[1]: Leaving directory '/home/ubuntu/git/packages/frr/frr' + dh_auto_test: error: make -j4 check VERBOSE=1 returned exit code 2 + make: *** [debian/rules:33: build] Error 25 + dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 + + + The package runs autopkgtests, and is currently passing on all arches but i386, where it's not available: https://autopkgtest.ubuntu.com/packages/frr + + + [Quality assurance - packaging] + - debian/watch is present and works + + lintian is a bit noisy, mostly about documentation issues: + $ lintian -I --pedantic + E: frr changes: bad-distribution-in-changes-file unstable + W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/doctools.js please use sphinx + W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/language_data.js please use sphinx + W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/searchtools.js please use sphinx + W: frr: groff-message usr/share/man/man1/frr.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 + W: frr: groff-message usr/share/man/man1/vtysh.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 + W: frr: groff-message usr/share/man/man8/frr-bfdd.8.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 + W: frr: groff-message ... use --no-tag-display-limit to see all (or pipe to a file/program) + W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-normal-processing.png + W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-rs-processing.png + W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-vnc-commercial-route-reflector.png + W: frr-doc: info-document-missing-image-file ... use --no-tag-display-limit to see all (or pipe to a file/program) + W: frr: mismatched-override spelling-error-in-binary usr/lib/frr/zebra writen written + W: frr source: possible-new-upstream-release-without-new-version + I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:120 + I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:211 + I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:213 + I: frr: acute-accent-in-manual-page ... use --no-tag-display-limit to see all (or pipe to a file/program) + I: frr: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/frr/modules/zebra_cumulus_mlag.so + I: frr source: out-of-date-standards-version 4.5.0.3 (released 2020-01-20) (current is 4.5.1) + I: frr: spelling-error-in-binary usr/bin/vtysh configration configuration + I: frr: spelling-error-in-binary usr/bin/vtysh informtion information + I: frr: spelling-error-in-binary usr/lib/frr/bgpd Neighor Neighbor + I: frr: spelling-error-in-binary ... use --no-tag-display-limit to see all (or pipe to a file/program) + I: frr: systemd-service-file-refers-to-var-run lib/systemd/system/frr.service PIDFile /var/run/frr/watchfrr.pid + I: frr: typo-in-manual-page usr/share/man/man1/vtysh.1.gz prefered preferred + I: frr-rpki-rtrlib: unused-override hardening-no-fortify-functions * + P: frr: executable-in-usr-lib usr/lib/frr/babeld + P: frr: executable-in-usr-lib usr/lib/frr/bfdd + P: frr: executable-in-usr-lib usr/lib/frr/bgpd + P: frr: executable-in-usr-lib ... use --no-tag-display-limit to see all (or pipe to a file/program) + P: frr-pythontools: executable-in-usr-lib usr/lib/frr/frr-reload.py + P: frr-pythontools: executable-in-usr-lib usr/lib/frr/generate_support_bundle.py + P: frr source: package-lacks-versioned-build-depends-on-debhelper 10 + P: frr source: package-uses-old-debhelper-compat-version 10 + P: frr: renamed-tag manpage-without-executable => spare-manual-page in line 10 + P: frr source: silent-on-rules-requiring-root + N: 24 hints overridden (24 info); 2 unused overrides + + The existing overrides are well documented. Example: + $ cat debian/frr.lintian-overrides + # function names & co. + frr binary: spelling-error-in-binary usr/lib/*/frr/libfrr.so.0.0.0 writen written + frr binary: spelling-error-in-binary usr/lib/*/frr/libfrrospfapiclient.so.0.0.0 writen written + frr binary: spelling-error-in-binary usr/lib/frr/ospfd writen written + frr binary: spelling-error-in-binary usr/lib/frr/zebra writen written + frr binary: spelling-error-in-binary usr/lib/frr/pimd writen written + frr binary: spelling-error-in-binary usr/lib/frr/pimd iif if + + # prefixed man pages for off-PATH daemons + manpage-without-executable + + # personal name + spelling-error-in-copyright Ang And + + + - This package does not rely on obsolete or about to be demoted packages. + There is an open question about PCRE3. The latest upload changed the build-dep on libpcre3-dev to libpcre2-dev, which is what we want since PCRE3 is obsolete. I don't see evidence in the build logs, nor in the final package deps, that PCRE2 was used, though. The configure script checks for "pcreposix", which is part of PCRE3, and it is not found (because we installed libpcre2-dev): + + Resulting config.h: + /* Define to 1 if you have the `pcreposix' library (-lpcreposix). */ + /* #undef HAVE_LIBPCREPOSIX */ + + It's only checked for if ./configure is given --enable-pcreposix, which d/rules doesn't: + if test "$enable_pcreposix" = "yes"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for regexec in -lpcreposix" >&5 + + $ grep -i pcre debian/control debian/rules config.log + debian/control: libpcre2-dev, + config.log:HAVE_LIBPCREPOSIX='' + + - This package has no python2 or GTK2 dependencies + + - The package will not be installed by default + + - Packaging and build is easy: + https://git.launchpad.net/ubuntu/+source/frr/tree/debian/rules + + + [UI standards] + There are no translations. + It's a server service with sysadmin oriented commands, config file and shell interface (vtysh). + + [Dependencies] + There are two, or maybe just one, extra dependencies for which we will need MIRs: + libyang2: https://launchpad.net/ubuntu/+source/libyang2 + librtr: https://launchpad.net/ubuntu/+source/librtr. This one is used in a separate binary package, and we might get away with keeping just this binary package (frr-rpki-rtrlib) in universe. + + [Standards compliance] + This package correctly follows FHS and Debian Policy + + + [Maintenance/Owner] + Team is already subscribed to the package + This does not use static builds + + [Background information] + RULE: - The package descriptions should explain the general purpose and context + RULE: of the package. Additional explanations/justifications should be done in + RULE: the MIR report. + RULE: - If the package was renamed recently, or has a different upstream name, + RULE: this needs to be explained in the MIR report. + The Package description explains the package well + Upstream Name is Free Range Routing (frr) + Link to upstream project https://frrouting.org/ + + This is a fork and replacement for quagga, which is in main already for quite some time. Unfortunately upstream development stopped, and we should not keep quagga in main anymore. Ubuntu has been shipping the same build for many releases already: + quagga | 1.2.4-1 | bionic | source, amd64, arm64, armhf, i386, ppc64el, s390x + quagga | 1.2.4-4build1 | focal | source, amd64, arm64, armhf, ppc64el, riscv64, s390x + quagga | 1.2.4-4ubuntu1 | hirsute | source, amd64, arm64, armhf, ppc64el, riscv64, s390x + quagga | 1.2.4-4ubuntu2 | impish | source, amd64, arm64, armhf, ppc64el, riscv64, s390x + quagga | 1.2.4-4ubuntu2 | jammy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951834 Title: [MIR]: frr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
