Review for Source Package: dgx-desktop-defaults

[Summary]

This is an ubuntu native package that ships binary packages which provide 
custom configuration for optimizing/enabling
DGX platforms. There are a couple of points that need clarification listed in 
the TODOs section.

The package deals with authentication (ubuntu pro subscription), it installs 
services,
recurring jobs etc. and therefore I believe a security review is due.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main:
dgx-desktop-app-profiles-mixed-coherency
dgx-desktop-arp-configuration
dgx-desktop-cppc-cpufreq-options
dgx-desktop-crashkernel-configuration
dgx-desktop-disable-init-on-alloc
dgx-desktop-disable-numa-balancing
dgx-desktop-docker-gpus
dgx-desktop-docker-options
dgx-desktop-enable-persistenced
dgx-desktop-enable-power-meter-cap
dgx-desktop-kernel-configuration
dgx-desktop-limits
dgx-desktop-no-systemd-suspend
dgx-desktop-nvidia-cuda-environment
dgx-desktop-nvidia-fs-loader
dgx-desktop-nvme-interrupt-coalescing
dgx-desktop-pro-activation
dgx-desktop-sbsa-gwdt-options
hwe-dgx-gb10-meta
hwe-dgx-gb300ws-meta

Specific binary packages built, but NOT to be promoted to main: <None>

Required TODOs:
1. The package needs special harware for testing and the autopkgtests are 
trivial. The team has access to the required
   harware, but a test plan or code is missing as required by TODO-A-H, section 
[Quality assurance - testing] in the
   reporter's bug template. Please provide a test plan.
2. Given the difficulties of making linux-nvidia available for an interim 
release, and the fact that's in main, since
   nothing breaks/fails I think we're ok from the MIR point of view. However, 
I'm concerned about the intention of 
   having this package in the ISO. Could you please clarify the following. Do 
you mean the generic ubuntu desktop ISO 
   which is available for everyone? If this is the case, does it mean that the 
debs  will be installed by default
   on any hardware? The package provides configurations for numa balancing, 
cpufreq, kdump configuration, etc., which may
   not be optimal or wanted on hw other than dgx.


Recommended TODOs:
3. Address the feedback from comment #1
4. In service-success-test file, the test check for 
'nvme-interrupt-coalescing.service' but I don't see such a service
   shipped by the package. How does this test work?

- The package should get a team bug subscriber before being promoted

[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
Partner engineering team is committed to own long term maintenance of this 
package.
The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
- no other build-time Dependencies with active code in the final binaries
  to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
TODO: - does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (dropping permissions, using temporary environments,
  restricted users/groups, seccomp, systemd isolation features,
  apparmor, ...)

Problems:
- does deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- This does seem to need special HW for build or test so it can't be
  automatic at build or autopkgtest time. But as outlined
  by the requester in [Quality assurance - testing] there:
   - is hardware and a test plan or code
- no new python2 dependency

Problems:
- does have a trivial test suite that runs as autopkgtest
- Test plan or code for testing not in cplace 

[Packaging red flags]
OK:
- This is an Ubuntu-only package
- symbols tracking not applicable for this kind of code.
- debian/watch is not present but also not needed (e.g. native)
- Upstream update history which matches Ubuntu history since it's an ubuntu 
only package is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]

OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems:
- use of sudo in debian/dgx-desktop-nvme-interrupt-coalescing.postinst

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154816

Title:
  [MIR] dgx-desktop-defaults

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dgx-desktop-defaults/+bug/2154816/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to