Review for Source Package: src:mariadb [Summary] MariaDB is a widely-used, high-performance, relational database that serves as a drop-in replacement for MySQL. It is more popular than MySQL for new application deployments. Promoting MariaDB to main alongside MySQL provides a choice of fully-supported, modern database servers for Ubuntu users and positions Ubuntu to potentially switch defaults if MySQL's popularity continues to decline.
MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This DOES need a security review, so I'll assign ubuntu-security. List of specific binary packages to be promoted to main: 1. mariadb-server 2. mariadb-server-core 3. mariadb-client 4. mariadb-client-core 5. mariadb-common 6. mariadb-backup 7. libmariadb3 8. libmariadb19t64 9. libmariadb-dev 10. libmariadb-dev-compat 11. libmariadbd-dev 12. mariadb-client-compat 13. mariadb-server-compat 14. mariadb-server-10.5 Specific binary packages built, but NOT to be promoted to main: 1. mariadb-plugin-connect 2. mariadb-plugin-connect-jdbc 3. mariadb-plugin-s3 4. mariadb-plugin-rocksdb 5. mariadb-plugin-oqgraph 6. mariadb-plugin-mroonga 7. mariadb-plugin-spider 8. mariadb-plugin-gssapi-server 9. mariadb-plugin-gssapi-client 10. mariadb-plugin-cracklib-password-check 11. mariadb-plugin-hashicorp-key-management 12. mariadb-plugin-provider-bzip2 13. mariadb-plugin-provider-lz4 14. mariadb-plugin-provider-lzma 15. mariadb-plugin-provider-lzo 16. mariadb-plugin-provider-snappy 17. mariadb-test 18. mariadb-test-data Notes: #0 - Sources like readline, wolfssl, zlib are vendored by upstream. But there is clear evidence in debian/rules that these are removed and the equivalent system installed libraries are used instead. Required TODOs: #1 - If the Server team agrees to maintain this, please have them subscribed to the package. #2 - Package bin:mariadb-client depends on libconfig-inifiles-perl. The latter also needs an MIR. #3 - Package mariadb-client recommends libdbd-mariadb-perl | libdbd-mysql-perl. Could this be dropped to Suggests? #4 - The report mentions shipping of apparmor profiles. However, the default profile is empty, which means apparmor is disabled. Also IIUC, upstream profiles are not shipped. Please provide a justification. #5 - Symbols tracking is not in place for bin:libmariadbd19t64. Please provide a justification. #6 - The current stable upstream release 12.0.2 is not packaged. Please consider packaging or provide a justfication for not doing so. Were any CVEs fixed between 11.8.3 and 12.0.2? #7 - Please address the lintian error listed under [Packaging red flags] Recommended TODOs: #8 - There are some incautious uses of malloc(). Please consider a full-scan and fixing such uses. #9 - The upstream builds report quite a few warnings. Please consider fixing them. #10 - There is a use of setuid/setgid noted in [Upstream red flags], which may or may not be a problem. Please consider addressing this. #11 - Please consider fixing lintian warnings listed under [Packaging red flags]. [Rationale, Duplication and Ownership] OK: - The rationale given in the report seems valid and useful for Ubuntu Problems: - There is another package in main providing the same functionality => The mysql-* packages in main provide the same functionality. However, it is a conscious proposal to have mariadb promoted to main alongside mysql. - A team is committed to own long term maintenance of this package. => The MIR mentions Server, but the team isn't subscribed yet. [Dependencies] OK: - No -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: - src:mariadb checked with check-mir => mariadb-client depends on libconfig-inifiles-perl which is in universe => mariadb-client recommends libdbd-mariadb-perl | libdbd-mysql-perl, both are in universe [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - this does have a significant history of CVEs => the upstream project actively tracks and fixes reported CVEs - does not run a daemon as root => the mariadb daemon is run as the "mysql" user - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) => exposes standard database port 3306 - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) => Comments in debian/apparmor-profile indicate that apparmor is disabled for mariadbd by default, for fresh installs. It is also apparent from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875890 that upstream apparmor profiles are not included. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - This does not need special HW for build or test - no new python2 dependency [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place. => for bin:libmariadb3 - debian/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - promoting this does not seem to cause issues for MOTUs that so far maintained the package - debian/rules is rather clean - It is not on the lto-disabled list Problems: - Symbols tracking is not in place for bin:libmariadbd19t64 - the current stable release 12.0.2, is not packaged - lintian errors and warnings => I spotted these errors and warnings related to the packages to be promoted E: mariadb-server: library-not-linked-against-libc [usr/lib/mysql/plugin/query_response_time.so] W: libmariadb-dev: executable-not-elf-or-script [usr/lib/x86_64-linux-gnu/pkgconfig/libmariadb.pc] W: mariadb-server: executable-not-elf-or-script [usr/bin/wsrep_sst_common] W: mariadb-server: executable-not-elf-or-script [usr/lib/systemd/system/mariadb.service] W: mariadb source: mismatched-override very-long-line-length-in-source-file * [storage/columnstore/columnstore/CMakeLists.txt:*] [debian/source/lintian-overrides:59] W: libmariadb3: mismatched-override hardening-no-fortify-functions [usr/lib/*/libmariadb3/plugin/caching_sha2_password.so] [usr/share/lintian/overrides/libmariadb3:2] W: libmariadb3: mismatched-override hardening-no-fortify-functions [usr/lib/*/libmariadb3/plugin/sha256_password.so] [usr/share/lintian/overrides/libmariadb3:4] W: mariadb-server: mismatched-override hardening-no-fortify-functions [usr/lib/mysql/plugin/file_key_management.so] [usr/share/lintian/overrides/mariadb-server:10] W: mariadb source: orig-tarball-missing-upstream-signature mariadb_11.8.3.orig.tar.gz [Upstream red flags] OK: - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user 'nobody' outside of tests - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case Problems: - warnings during the build => The upstream build reports compiler and assembler warnings - incautious use of malloc/sprintf => Though I did not do a full scan, I found a few incautious uses of malloc(). Examples: mariadb/mysys/thr_timer.c:548 libmariadb/libmariadb/ma_dtoa.c:644 storage/connect/tabext.cpp:473 - use of setuid / setgid => mysys/my_setuser.c invokes setuid/setgid, which may or may not be an issue ** Bug watch added: Debian Bug tracker #875890 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875890 ** Changed in: mariadb (Ubuntu) Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122095 Title: [MIR] mariadb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2122095/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
