Review for Source Package: gstreamer-plugins-bad1.0 (a subset of which will form the proposed gstreamer-plugins-extra1.0 binary)
[Summary] The essence of the review result from the MIR POV is that the components of gstreamer-plugins-bad1.0 that are requested for review as part of a new binary, gstreamer-plugins-extra1.0, are generally compliant with the MIR process aside from the required TODOs. A security review is still recommended as this package parses potentially untrusted media data formats. MIR team ACK under the constraint to resolve the below listed required TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: - gstreamer1.0-plugins-extra - libgstreamer-plugins-extra1.0-0 - libgstreamer-plugins-extra1.0-dev - gir1.2-gst-plugins-extra-1.0 Specific binary packages built, but NOT to be promoted to main: - gir1.2-gst-plugins-bad-1.0 - gstreamer1.0-opencv - gstreamer1.0-plugins-bad - gstreamer1.0-plugins-bad-apps - libgstreamer-opencv1.0-0 - libgstreamer-plugins-bad1.0-0 - libgstreamer-plugins-bad1.0-dev Notes: Required TODOs: - Enable symbols tracking for public libraries - Ensure package is not on the LTO-disabled list - gst-plugins-bad1.0 is on the list for ppc64el and s390x (https://git.launchpad.net/ubuntu/+source/lto-disabled-list/tree/lto-disabled-list) [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality. A team is committed to own long term maintenance of this package (desktop-packages). The rationale given in the report seems valid and useful for Ubuntu. [Dependencies] OK: - no other runtime Dependencies to MIR due to this - all runtime dependencies for libgstreamer-plugins-extra1.0-0_1.26.5-1ubuntu3_amd64.deb and gstreamer1.0-plugins-extra_1.26.5-1ubuntu3_amd64.deb were checked and are confirmed to be in main. - no other build-time Dependencies with active code in the final binaries to MIR due to this - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries OK: - not a go package, no extra constraints to consider in that regard - No vendoring used, all Built-Using are in main - not a rust package, no extra constraints to consider in that regard - Does not include vendored code Problems: None [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. A security review is recommended to ensure this functionality follows best practices. - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: - This package does parse media data formats and a security review is recommended to ensure best security practices are being followed. [Common blockers] OK: - does not FTBFS currently (PPA build https://launchpad.net/~charles05/+archive/ubuntu/gstreamer/+build/31313921 looks good) - does have a test suite that runs at build time - test suite fails will fail the build upon error. - This does seem to need special HW for build or test so it can't be automatic at build or autopkgtest time. But as outlined by the requester in [Quality assurance - testing] there: - is hardware and a test plan or code that tests various aspects of GStreamer such as different video/audio codecs and integrations. This is outlined in the link provided by the MIR submitter: https://wiki.ubuntu.com/DesktopTeam/TestPlans/GStreamer - no new python2 dependency Problems: None [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - For c++ libraries - symbols tracking isn't in place but the owning team tried to set it up and came back with a reasonable rationale of why it isn't practical to do for the package. If symbols tracking isn't used then it's recommended to investigate using an alternative like abigail or abi-compliance-check in CI or bumping SOVER with every package update. - debian/watch is present and looks ok - Upstream update history is good - updates at least weekly - Debian/Ubuntu update history is good - at least monthly - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is quite complex, but to be expected given the complex nature of this source package - the package is on the LTO-disabled-list the architectures ppc64el and s390x Problems: - It appears that libgstreamer-plugins-extra1.0-0 is a public library but does not have symbols tracking in place. Symbols tracking or an alternative such as abigail or abi-compliance-check should be used. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no incautious use of malloc/sprintf (the language has no direct MM) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case Problems: None ** Changed in: gst-plugins-bad1.0 (Ubuntu) Assignee: Myles Penner (mylesjp) => (unassigned) ** Changed in: gst-plugins-bad1.0 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121050 Title: [MIR] gstreamer-plugins-extra1.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gst-plugins-bad1.0/+bug/2121050/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
