Thanks for the review! AppArmor has been disabled due to too many false positives for many years, tracking in https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=875890 as noted above.
Perl dependencies review tracking in https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1115678. The similar MySQL client package is smaller and does not have any of the Perl scripts, so indeed for MariaDB the libconfig-inifiles-perl might need to also have a MIR filed, but I will do more research before doing it. MariaDB 11.8 is a long-term supported release with security fixes and source code releases until spring of 2030, and thus chosen for Debian and Ubuntu. The newer 12.x are short-term releases that we intentionally don't import to Debian/Ubuntu (this is similar to MySQL 8.4 vs 9.x series). The libmariadbd is the embedded server and it does not have symbols tracking as it is not a traditional library, but the whole server built into a single binary to be embedded in other apps as a whole. There are no packages in Debian/Ubuntu that build with libmariadbd-dev. Anyone using it would have their own custom setup. The Lintian error/warnings are mostly due to special constructs in the server how it creates plugins for itself. The server build has all hardening flags already, but in some plugins the internal ABI structure is partial, and Lintian does not detect the hardening properly. They need a separate deep-dive and should be documented in Lintian overrides. The executable bit issues are minor, and they along with other minor Lintian issues have been reported upstream in e.g. MDEV-6153, MDEV-21869 and MDEV-33837, but haven't gotten full attention due to being insignificant. I will ping upstream to consider fixing them as after all, the executable bits are trivial to fix. Lintian warning about orig-tarball-missing-upstream-signature is likely an artifact of how the package was downloaded. Upstream publishes signatures for all releases and they are always imported to Debian/Ubuntu, see e.g. http://archive.ubuntu.com/ubuntu/pool/universe/m/mariadb/mariadb_11.8.3.orig.tar.gz.asc For the highlighted cases of potential malloc() misuse I don't have any immediate comments, they need to be researched. I do however know that upstream is running Valgrind, ASAN, MSAN, UBSAN and TSAN in their CI to catch and fix memory issues. For mysys/my_setuser.c I don't have any immediate comments either, needs further research. This is however a piece of software that has had extensive and ongoing security audits and testing, and the security posture should be pretty good. All findings need to be double-checked of course, and documented (e.g. mysys/my_setuser.c is currently lacking inline comments explaining why setuid is used). I am also considering adding some memory sanitizer checking or other security scanning in the CI for the Debian packaging if that could provide more value beyond what upstream is already doing. I will report back here when there are changes in the package or further research results/documentation is available. ** Bug watch added: Debian Bug tracker #1115678 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115678 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2122095 Title: [MIR] mariadb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2122095/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
