I reviewed zeromq3 version 4.1.5-2 as checked into yakkety. This shouldn't
be considered a full audit but rather a quick check of maintainability.
zmq is a networking and related utilities library. However, it has a
broad, almost obsessive, vision of how the sockets API should look;
calling it a "networking library" is entirely underselling the intention.
- Build-Depends: debhelper, dh-autoreconf, libpgm-dev, libsodium-dev,
pkg-config
- Does not itself daemonize
- Does not itself direct networking
- No pre/post inst/rm scripts
- No initscripts
- No dbus services
- No setuid executables
- No binaries in the path
- No sudo fragments
- No udev rules
- Tests run during build -- six failures in Xenial build logs and seven
failures in yakkety build logs -- why do these fail? why do they not
halt the build?
- No cronjobs
- Build logs look clean beyond the test failures
- No spawned subprocesses
- Memory management is old-school correct-to-the-byte-style C-flavor. It
all looks careful but is very manual, with hand-counted bytes and
detailed knowledge of packet layouts necessary to make any
modifications. As this is a defacto protocol, changes shouldn't be
necessary, but there is no margin of safety.
- Only /dev/urandom file IO, looked very careful
- Logging looked safe
- Slight use of ioctls
- Uses libsodium or tweetnacl for newer cryptographically secured
mechanisms
- Extensive networking -- this is easily the most complicated networking
code I've ever reviewed. It all looks careful but expert assistance
would be needed for nearly any modifications. (The theory of the library
is that it would handle all the complicated portions of networking and
allow applications to focus on protocol design. The complexity is
expected and appropriate.)
- No portions of code are more privileged than others
- No temporary file handling
- No webkit
- No policykit
- No javascript
- Clean cppcheck
zmq is extremely ambitious; it embraces complexity so that client
programs can be written more simply. The enthusiasm and reach and
optimism are infectious. The code quality is extremely high, even
though it does work with razor-thin margins for memory management, and
must manage the full complexities of many networking protocols on many
operating systems. Error-checking is pervasive and careful. Comments
are clear and meaningful. It's a striking and bold new mechanism to
network everything, simply.
This comes at a cost.
I found two bugs in our package that have been fixed upstream. (Bugs
1622073 and 1623792.) I didn't try to write programs to discover the
consequences of tripping these bugs but program death is expected. We
should fix these.
Yakkety zeromq3 packages have seven failures in the test suite run
during the build. The build is not aborted with these failures. We need
to understand, and if feasible, fix these failed tests. Ideally the build
would fail when the tests fail, so that failures do not become normal.
Security team provides conditional approval for promoting zeromq3 to
main -- please fix the test failures or explain why they cannot be fixed
before promoting the package.
Thanks
** Changed in: zeromq3 (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to zeromq3 in Ubuntu.
https://bugs.launchpad.net/bugs/1597439
Title:
[MIR] zeromq3
Status in zeromq3 package in Ubuntu:
New
Bug description:
Trying to get unity8 in main this cycle, that's one of the depends of
unity-scopes-api (MIR to come)
* availability
it's available/built on all the ubuntu architectures,
https://launchpad.net/ubuntu/+source/zeromq3/4.1.4-7
* security
the trusty version has some open CVEs which seem to have been resolved in the
newer versions/series of Ubuntu
http://people.canonical.com/~ubuntu-security/cve/pkg/zeromq3.html
* quality
- the package is well maintained in Debian
- it works out of the box with no configuration required
- it has a testsuite which is used during build but currently has some errors
and doesn't stop the build
* dependencies
requires libsodium which is universe
* standards compliance
FHS and Debian Policy compliant.
* ubuntu maintainance
the desktop team is going to look after it, desktop-bugs has been subscribed
* background
no specific info
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1597439/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
