Review for Source Package: dgx-desktop-defaults [Summary]
This is an ubuntu native package that ships binary packages which provide custom configuration for optimizing/enabling DGX platforms. There are a couple of points that need clarification listed in the TODOs section. The package deals with authentication (ubuntu pro subscription), it installs services, recurring jobs etc. and therefore I believe a security review is due. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: dgx-desktop-app-profiles-mixed-coherency dgx-desktop-arp-configuration dgx-desktop-cppc-cpufreq-options dgx-desktop-crashkernel-configuration dgx-desktop-disable-init-on-alloc dgx-desktop-disable-numa-balancing dgx-desktop-docker-gpus dgx-desktop-docker-options dgx-desktop-enable-persistenced dgx-desktop-enable-power-meter-cap dgx-desktop-kernel-configuration dgx-desktop-limits dgx-desktop-no-systemd-suspend dgx-desktop-nvidia-cuda-environment dgx-desktop-nvidia-fs-loader dgx-desktop-nvme-interrupt-coalescing dgx-desktop-pro-activation dgx-desktop-sbsa-gwdt-options hwe-dgx-gb10-meta hwe-dgx-gb300ws-meta Specific binary packages built, but NOT to be promoted to main: <None> Required TODOs: 1. The package needs special harware for testing and the autopkgtests are trivial. The team has access to the required harware, but a test plan or code is missing as required by TODO-A-H, section [Quality assurance - testing] in the reporter's bug template. Please provide a test plan. 2. Given the difficulties of making linux-nvidia available for an interim release, and the fact that's in main, since nothing breaks/fails I think we're ok from the MIR point of view. However, I'm concerned about the intention of having this package in the ISO. Could you please clarify the following. Do you mean the generic ubuntu desktop ISO which is available for everyone? If this is the case, does it mean that the debs will be installed by default on any hardware? The package provides configurations for numa balancing, cpufreq, kdump configuration, etc., which may not be optimal or wanted on hw other than dgx. Recommended TODOs: 3. Address the feedback from comment #1 4. In service-success-test file, the test check for 'nvme-interrupt-coalescing.service' but I don't see such a service shipped by the package. How does this test work? - The package should get a team bug subscriber before being promoted [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality. Partner engineering team is committed to own long term maintenance of this package. The rationale given in the report seems valid and useful for Ubuntu [Dependencies] OK: - no other runtime Dependencies to MIR due to this - no other build-time Dependencies with active code in the final binaries to MIR due to this - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard - Does not include vendored code Problems: None [Security] OK: - history of CVEs does not look concerning TODO: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: - does deal with system authentication (eg, pam), etc) [Common blockers] OK: - does not FTBFS currently - This does seem to need special HW for build or test so it can't be automatic at build or autopkgtest time. But as outlined by the requester in [Quality assurance - testing] there: - is hardware and a test plan or code - no new python2 dependency Problems: - does have a trivial test suite that runs as autopkgtest - Test plan or code for testing not in cplace [Packaging red flags] OK: - This is an Ubuntu-only package - symbols tracking not applicable for this kind of code. - debian/watch is not present but also not needed (e.g. native) - Upstream update history which matches Ubuntu history since it's an ubuntu only package is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: None [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (the language has no direct MM) - no use of gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: - use of sudo in debian/dgx-desktop-nvme-interrupt-coalescing.postinst -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2154816 Title: [MIR] dgx-desktop-defaults To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dgx-desktop-defaults/+bug/2154816/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
