Review for Source Package: rust-sudo-rs [Summary] MIR team ACK under the constraint to answer and potentially work on the below listed recommended TODOs. This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: sudo-rs. I see that removing the -dev package in in progress on https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2115785. Notes: I reviewed 0.2.5-5ubuntu2, which is still in proposed at the moment of this writing. This is the version which adds some vendoring instructions and enhancements. Recommended TODOs: 1. The current release is not packaged. I agree that 0.2.7 was only released last week, but we didn’t get 0.2.6 either which was released at early in May. I suggest that we update to the new version which have quite some changes and new features as this is a high profile update for questing. 2. There are quite some Rust warning during the build about unused functions and so on. I suggest that we work with upstream to limit those warnings and get a clean build output. 3. Can we work with upstream so that end-user facing strings are marked for and support translation? [Rationale, Duplication and Ownership] The foundation team is committed to own long term maintenance of this package. The rationale given in the report seems valid and useful for Ubuntu [Dependencies] OK: - no other Dependencies to MIR due to this - rust-sudo-rs checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. [Embedded sources and static linking] OK: - Rust package that has all dependencies vendored. It does neither have *Built-Using (after build). Nor does the build log indicate built-in sources that are missed to be reported as Built-Using. - rust package using dh_cargo (dh ... --buildsystem cargo) - Includes vendored code, the package has documented how to refresh this code at debian/README.source [Security] OK: - history of CVEs does not look concerning (were quickly fixed on this young project) - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: - does deal with system authentication (pam) and use setuid bits. We need a security review due to this. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - This does not need special HW for build or test - no new python2 dependency [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - debian/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - promoting this does not seem to cause issues for MOTUs that so far - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: - the current release is NOT packaged (0.2.7, we are at 0.2.5) [Upstream red flags] OK: - no Errors during the build - no incautious use of malloc/sprintf (as far as we can check it). It’s rust! - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - use of setuid, but ok because it’s the expected feature of this tool - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks Problems: - There are quite some Rust warning during the build about unused functions and so on. I suggest that we work with upstream to limit those warnings and get a clean build output. - no translation present. ** Changed in: rust-sudo-rs (Ubuntu) Assignee: Didier Roche-Tolomelli (didrocks) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2113928 Title: [MIR] rust-sudo-rs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2113928/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
