Review for Source Package: pigz (2.8-2)
[Summary]
The package builds cleanly, its upstream test suite and the existing
autopkgtest pass, and it demonstrates a usefulness for Ubuntu.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: pigz
Required TODOs:
1. Address the embedded zopfli issue as described in the initial MIR filing. It
is preferable to use the Archive version of a dependency.
2. The DEP8 test addition as mentioned in the initial report has not yet
merged. Please see to this being resolved before promotion.
3. Add a team bug subscriber for Ubuntu Server before promotion.
[Rationale, Duplication and Ownership]
OK:
- There is no other package in main providing the same functionality.
gzip (in main) is the obvious functional overlap, but pigz exists
specifically to parallelise gzip-compatible compression across cores
and is not duplicated by gzip, xz-utils, or zstd. The MIR submitter
notes this directly: pigz "covers the same use case as gzip, but is
better because it leverages multiple cores and processors." pbzip2,
pixz, pzstd are parallel compressors for other formats, not for the
gzip/zlib stream pigz targets.
- A team is committed to own long-term maintenance of this package - Ubuntu
Server
- The rationale given in the report seems valid and useful for Ubuntu:
pigz is required as a runtime dependency of docker.io-app (MIR
#2140335), which is being promoted to main. Additional archive
consumers exist (dracut-core, clonezilla, debian-cd, bmap-tools and
others).
[Dependencies]
OK:
- All non-zopfli runtime dependencies are satisfied from main: libc6,
zlib1g. dpkg (Pre-Depends) is Priority: required.
- No -dev/-debug/-doc packages need exclusion (only the single pigz
binary is produced).
- No dependencies in main that are only superficially tested
requiring more tests now.
Problems:
- Runtime dependency on libzopfli1 in universe
[Embedded sources and static linking]
OK:
- No static linking. debian/rules sets ZOPFLI_PREFIX=/usr so the
Debian/Ubuntu build links against the shared libzopfli1 and does
not compile the bundled zopfli sources into the binary.
- Does not have unexpected Built-Using entries (debian/control has
none, debhelper does not generate any).
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems:
- The upstream tarball ships a full copy of the zopfli sources under
zopfli/ (Apache-2.0). The copyright record for these files in
debian/copyright was added in 2.8-2 in response to Debian bug
#1135288.
[Security]
OK:
- CVE history does not look concerning. Two historical CVEs, both
fixed long before the proposed version.
No CVEs filed against any release from 2.4 onwards, including 2.8.
- Does not run a daemon as root (CLI tool, runs as the invoking user).
- Does not use webkit1 or webkit2.
- Does not use lib*v8 directly.
- Does not expose any external endpoint (no network code; pure
filesystem/stdio).
- Does not process arbitrary web content.
- Does not use centralized online accounts.
- Does not integrate arbitrary javascript into the desktop.
- Does not deal with system authentication (no PAM).
- Does not deal with security attestation (no secure boot, TPM, or
signature handling).
- Does not deal with cryptography in the en-/decryption sense
(CRC32 and Adler-32 only -- integrity, not secrecy).
Problems:
- Does parse data formats from untrusted sources. pigz is invoked on gzip,
zlib, and zip
streams that frequently originate from third parties (a tarball off
the internet, a Docker layer, an initrd image). The parser surface
lives in a single ~4.7 KLOC C file (pigz.c) using manual memory
management. The security team should investigate.
[Common blockers]
OK:
- Does not FTBFS. Verified by running make against a clean copy of
this tree on Ubuntu: builds with no warnings using the upstream
-Wall -Wextra -Wno-unknown-pragmas -Wcast-qual flags plus Debian
hardening.
- Has a test suite that runs at build time (make test, invoked from
debian/rules via override_dh_auto_test). Verified to pass locally.
- This does not need special HW for build or test.
- no new python2 dependency.
- No Python package considerations apply (not a Python package).
- No Go package considerations apply (not a Go package).
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a significant delta against Debian
- symbols tracking not applicable for this kind of code (the package
ships only an executable, no shared library, no headers).
- debian/watch is present (format version 5) and points at the
upstream release directory.
- the current upstream release (2.8, 2022-08-19) is the version
packaged.
- promoting this does not seem to cause issues for MOTU
- debian/rules is small (26 lines) and uses the dh sequencer with
only narrow overrides (build flag plumbing, build, install with
unpigz hardlink).
- It is not on the lto-disabled list.
Problems: None
[Upstream red flags]
OK:
- No errors or warnings during the build.
- No incautious use of malloc/sprintf
- No use of sudo, gksu, pkexec, or LD_LIBRARY_PATH in source or
packaging.
- No use of user 'nobody'.
- No use of setuid / setgid in source, in packaging, or on the built
binary (find -perm -4000 -o -perm -2000 over the source tree is
empty).
- No important open bugs (crashers, data-loss) visible in Debian or
Ubuntu against 2.8-1; the most recent Debian bugs closed by 2.8-2
are documentation/packaging items (zopfli copyright wording, help
output stream, quilt dependency cleanup).
- No dependency on webkit, qtwebkit, or libseed.
- Not part of the UI for extra checks.
- No translation present, but none needed for this case (CLI tool;
message strings are English-only by upstream design).
Problems: None
** Changed in: pigz (Ubuntu)
Assignee: Myles Penner (mylesjp) => (unassigned)
** Changed in: pigz (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2150649
Title:
[MIR] Promote pigz
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pigz/+bug/2150649/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
