Review of source package: src:iotop-c
[Summary]
This is a proposal to replace the current Python-based iotop I/O monitoring
tool with
iotop-c, an improved version written in C. The iotop-c upstream project has
better
maintenance than (the almost unmaintained) iotop. The iotop package may be
demoted
to universe.
MIR team ACK.
There is no CVE history. But the package will introduce a new superuser
binary (/usr/sbin/iotop-c). The security team might want to take a cursory
look, at the least. I'll assign ubuntu-security for now.
List of specific binary packages to be promoted to main: bin:iotop-c
Specific binary packages built, but NOT to be promoted to main:
bin:iotop-c-dbgsym
Notes:
None.
Required TODOs:
None.
Recommended TODOs:
#0 - The package should get a team bug subscriber before being promoted
#1 - The current release (1.31) needs to be uploaded (needs a package merge
with 1.31-1 in debian/sid).
#2 - The build-warning note in [Upstream red flags] could be fixed by patching
the Makefile.
#3 - Rule out memory leaks using a tool like valgrind.
[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
=> The intention is to replace the iotop in main, with iotop-c; the former
will be demoted
back to universe.
- A team is committed to own long term maintenance of this package.
=> Server team
- The rationale given in the report seems valid and useful for Ubuntu
[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
- no other build-time Dependencies with active code in the final binaries to
MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more
tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
=> Needs sudo and the CAP_NET_ADMIN capability to run.
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- if a non-trivial test on this level does not make sense (the lib alone
is only doing rather simple things), is the overall solution (app+libs)
extensively covered i.e. via end to end autopkgtest ?
=> Yes.
- no new python2 dependency
Problems:
- does not have a test suite that runs at build time
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code because it
no shared objects are created
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is sporadic
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far maintained
the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- the current release (1.31) is not available in Ubuntu yet, needs an Ubuntu
merge
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
=> sysadmins are the target users
Problems:
- warning: ‘_FORTIFY_SOURCE’ redefined
=> the Makefile could be patched to remove this flag, dpkg-buildflags
supplies -D_FORTIFY_SOURCE=3
** Changed in: iotop-c (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2137520
Title:
[MIR] iotop-c
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iotop-c/+bug/2137520/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
