** Tags added: dcr-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2113961
Title: [MIR] util-linux Status in util-linux package in Ubuntu: New Bug description: [Availability] The package src:util-linux is already in Ubuntu main. The package src:util-linux build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/util-linux [Rationale] See previous rational below for what actually sparked this MIR. Now that `bin:liblastlog2-2` has been promoted and everything is unblocked, the rationale becomes as simple as an ask for a re-review for one of the `Essential` packages, shipping, among other things, a few `suid` binaries in absolutely every form Ubuntu can take. https://canonical-ubuntu-project.readthedocs-hosted.com/MIR/mir-rereview/#opt-in-re-review Original rationale: Okay, it seems the MIR template doesn't apply well for this use-case, because it more or less assumes that the MIR is about a source package that is currently in universe. In the current situation, only an existing binary package needs to be promoted, from a source package already in main. I'll do my best to adapt the template and provide a good rational. - bin:liblastlog2-2 is provided by src:util-linux, and was already there in plucky/universe. - The package src:util-linux is generally useful for a large part of our user base: it provides the bin:util-linux package, that is even flagged as `Essential: yes`. This is the package providing, among many other things, the `su`, `fsck`, `flock`, or `mkswap` binaries, all mostly essential to any system (random selection of important commands to give a quick example). - The package bin:liblastlog2-2 is a new runtime dependency of package bin:util-linux that we already support. - The binary packages liblastlog2-2 needs to be in main to have the latest merge of util-linux migrate from questing-proposed to questing. - All other binary packages currently in universe built by src:util-linux should remain in universe. - The package bin:liblastlog2-2 is required in Ubuntu main no later than somewhere in July due to some partners requiring patches to be SRU'd to Noble, and thus needing the package to migrate from -proposed (even though it's not a hard block from the SRU team, according to what I've red on Matrix recently). [Security] - Obviously, util-linux has had some security issues in the past (although not that much): - https://ubuntu.com/security/cves?package=util-linux - https://security-tracker.debian.org/tracker/source-package/util-linux - Those issues seems to be handled correctly in both Ubuntu and Debian: - https://ubuntu.com/security/CVE-2024-28085 - https://security-tracker.debian.org/tracker/CVE-2024-28085 - https://security-tracker.debian.org/tracker/CVE-2021-37600 - There are countless binaries in sbin, but I'm fairly confident taking them out is a big plan of its own to still have a working system. - There are just a couple systemd units: - fstrim.{service,timer}: Discard unused filesystem blocks once a week - lastlog2-import.service: Import lastlog data into lastlog2 database - run only once in some particular situations to handle a data migration - About common isolation/risk-mitigation: - I'm not sure anything in util-linux is opening privileged ports. - I know some binaries are dropping privileges. - Going much further on that topic would be a full audit, for which I unfortunately don't really have time and competency for. I hope that's okay. - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/util-linux/+bugs?orderby=-importance&start=0 - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=util-linux - Upstream https://github.com/util-linux/util-linux/issues - Obviously this package has tons of bugs opened, but at the same time, it has a lot of activity, and is well maintained upstream, in Debian, and in Ubuntu, just because of its central position in any Linux system. - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log TBD - The package runs an autopkgtest, and is currently passing on all architectures but i386: https://autopkgtest.ubuntu.com/packages/util-linux - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Recent build: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2/+build/30908305 - Lintian overrides are present, but ok because most are well commented, and the rest is pretty obvious, like highly privileged binaries. - This package does not rely on obsolete or about to be demoted packages. - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging is quite complex, but I'm not sure how much of a choice we have. Good thing is that this package is equally important in Debian, so it will very likely keep being maintained. [UI standards] - Application is end-user facing, Translation is present, via standard intltool/gettext. See `configure` for `libintl` and `gettext`. - End-user applications without desktop file, not needed because it only ships CLI tools. [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy. [Maintenance/Owner] - The owning team will be debcrafters-packages and I have their acknowledgement for that commitment - The future owning team is already subscribed to the package. - This does not use static builds. - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2 [Background information] The Package description explains the package well Upstream Name is `util-linux` Link to upstream project: https://github.com/util-linux/util-linux/ This package has been in main since the very early beginning of Ubuntu, so never got the chance to get a proper MIR. This was sparked when the `bin:util-linux` has started to depend on `bin:liblastlog2-2`, which was in Universe. `liblastlog2-2` was nicely handled by @paelzer under the "Renamed or re-organized sources" condition. This MIR still makes sense to me, given that `util-linux` provides many very important binaries, among which many of them are `suid`, and is one the `Essential` packages shipped in absolutely every form Ubuntu can take. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2113961/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
