[Summary] MIR Team Ack to src:libbpf This does not need a security review IMHO, but as outlined below I'd want security to quickly ACK on that decision - assigning to Seth (security MIR Team member) for that. List of specific binary packages to be promoted to main: libbpf0
Required TODOs: - None Recommended TODOs: - Add build and/or autopkgtest tests to the package to spot issues early [Duplication] There is no other package in main providing the same functionality. Some packages that formerly had libbpf code slowly migrate to this lib. But that isn't duplication it is the right thing to do. [Dependencies] OK: - no other Dependencies to MIR due to this - -dev package will be auto-promoted, but all it's deps are ok as well [Embedded sources and static linking] - no embedded source present (this is in fact used to un-embed some in other pkg) - no static linking [Security] OK: - history of CVEs does not look concerning No issues on the lib yet, but the kernel backend has some (as one would expect for such a dynamic interface) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bpf - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does not parse data formats, but no externally controlled ones I'm unsure if this needs a security review. They are currently rather busy with those and this package does replace code that was worse in iproute2 (pulling it into main). Since this is driven and in a lot of use by the bigger kernel community as well as Debian jumping onto this for Buster I think while I'd appreciate a review we don't strictly need it here as we are replacing better code. Also the new iproute needs to go along kernel 5.10 which just appeared in 21.04 so the runway is short. But I'll want security to do a 5-10 minute read of that reasoning and the code to agree to that decision. If they do we can go on promoting this immediately. If security decides that a full review is needed it will go their way as usual. [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider int hat regard - no new python2 dependency Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest Gladly that is somewhat covered by the upstream travis tests. None of the few but growing dependencies has higher level tests yet. This isn't a blocker since this is "just" the lib but certainly a step that would be recommended to the owning team to add. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is good, but it is yet rather new - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: libbpf (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to iproute2 in Ubuntu. Matching subscriptions: iproute2 https://bugs.launchpad.net/bugs/1910576 Title: [MIR] libbpf (dependency of iproute2) Status in iproute2 package in Ubuntu: Invalid Status in libbpf package in Ubuntu: New Bug description: [Availability] libbpf | 0.1.0-1 | groovy/universe | source libbpf | 0.3-2 | hirsute/universe | source [Rationale] Libbpf is (or is about to become) a dependency for building iproute2 which already is in main. Using BPF is becoming more wide-spread. The library allows to load and use eBPF programs from user-space (functionality provided by the kernel). It is already maintained in main for Debian (https://tracker.debian.org/pkg/libbpf) [Security] Since the code is taken out of the Linux kernel, this should be treated similar to the kernel for security. Research uncovered no records about security issues. [Quality assurance] At this point there are no open bug reports against libbpf (except this one) in Ubuntu. Also no open bugs found in Debian. Project is taken from the kernel source and claims static analysis via LGTM and Coverty. Also has CI via Travis (https://travis-ci.com/github/libbpf/libbpf). Right now there are no dep-8 tests. Though potentially it should be possible to create those, would this really add additional benefit beyond having upstream CI? A test build on hirsute was showing no warnings beyond lintian complaining about things which would be changed if we had delta (unstable as series for example). Otherwise was clean. [Dependencies] libc6: main libelf1: main zlib1g: main [Standards compliance] $ lintian --pedantic libbpf_0.3-2.dsc P: libbpf source: no-homepage-field P: libbpf source: silent-on-rules-requiring-root [Maintenance] As this is only taking out code from the kernel into a separate library package, the maintenance effort should be minimal. Packaging is done in Debian and is synced into Ubuntu (no delta). [Background information] A discourse about why this is packaged outside the kernel can be found at https://lwn.net/Articles/836911/. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1910576/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
