** Description changed: Following the process documented at https://wiki.ubuntu.com/MainInclusionProcess , the following template needs to be filled in to start the MIR for zfs-linux in 16.04 - [Availability] - - [Rationale] - - [Security] + Below are my answers to the various main inclusion requirements, marked + by a * prefix: + + [Availability]: + + "The package must already be in the Ubuntu universe, and must + build for the architectures it is designed to work on." + + * http://packages.ubuntu.com/xenial/admin/zfsutils-linux + * Yes - built for 64 bit arches only, because ZFS is designed to run + well only on 64 bit architectures. + + [Rationale]: + + "There must be a certain level of demand for the package, for example: + The package is useful for a large part of our user base." + + * Yes - there is a lot of interest in ZFS in the server space and for + users wanting to use a file system that supports huge collections of + disks with excellent reliable features such as checksummed raid, mirroring + striping with easy configuration and also simple data sanity checking and + fixing. + * Being requested by Kiko + + "The package is a new build dependency or dependency of a package that we + already support (additionally, the official image builder requires all + used packages be in main)." + + * Yes, already in Wily as a technology demo. + + "The package helps meet a specific Blueprint goal." + + * No blueprint goal. + + "The package replaces another package we currently support and promises + higher quality and/or better features, so that we can drop the old + package from the supported set." + + * Not applicable + + + [Security]: + "The security history and the current state of security issues in + the package must allow us to support the package for at least 18 months + without exposing its users to an inappropriate level of security risks. + This requires checking of several things that are explained in detail in + the subsection Security checks." + + "Check how many vulnerabilities the package had in the past and how they + were handled by upstream and the Debian/Ubuntu package:" + + "http://cve.mitre.org/cve/cve.html: Search in the National Vulnerability + Database using the package as a keyword" + + NO ZFS Linux CVEs found, here is the complete list from Mitre: + + CVE-2015-1415 + The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configuring + full disk encrypted ZFS, uses world-readable permissions for the GELI + keyfile (/boot/encryption.key), which allows local users to obtain sensitive + key information by reading the file. + + CVE-2015-0448 + Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to + affect confidentiality, integrity, and availability via vectors related to + ZFS File system. + + CVE-2013-3266 + The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the new + NFS server in FreeBSD 8.0 through 9.1-RELEASE-p3 does not verify that a + READDIR request is for a directory node, which allows remote attackers to + cause a denial of service (memory corruption) or possibly execute arbitrary + code by specifying a plain file instead of a directory. + + CVE-2011-2313 + Unspecified vulnerability in Oracle Solaris 10 allows local users to affect + availability, related to ZFS. + + CVE-2011-2312 + Unspecified vulnerability in Oracle Solaris 10 allows local users to affect + confidentiality, related to ZFS. + + CVE-2011-2311 + Unspecified vulnerability in Oracle Solaris 10 allows local users to affect + availability, related to ZFS. + + CVE-2011-2286 + Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows remote + authenticated users to affect availability, related to ZFS. + + CVE-2010-4458 + Unspecified vulnerability in Oracle Solaris 11 Express allows local users + to affect availability, related to ZFS. + + CVE-2010-3540 + Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local + users to affect availability, related to ZFS. + + CVE-2010-2392 + Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local + users to affect integrity and availability, related to ZFS. + + CVE-2010-0318 + The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, + and 8.0, when creating files during replay of a setattr transaction, uses + 7777 permissions instead of the original permissions, which might allow + local users to read or modify unauthorized files in opportunistic + circumstances after a system crash or power failure. + + CVE-2009-3706 + Unspecified vulnerability in the ZFS filesystem in Sun Solaris 10, and + OpenSolaris snv_100 through snv_117, allows local users to bypass intended + limitations of the file_chown_self privilege via certain uses of the chown + system call. + + "http://secunia.com/advisories/search/: search for the package as a + keyword" + + * No security advisories found + + Ubuntu CVE Tracker: + + http://people.ubuntu.com/~ubuntu-security/cve/main.html + * No + http://people.ubuntu.com/~ubuntu-security/cve/universe.html + * No + http://people.ubuntu.com/~ubuntu-security/cve/partner.html + * No + + "Check for security relevant binaries. If any are present, this + requires a more in-depth security review." + + "Executables which have the suid or sgid bit set." + * Not applicable + + "Executables in /sbin, /usr/sbin." + * Applicable. This requires security review + + "Packages which install daemons (/etc/init.d/*)" + * Applicable. This requires security review + + "Packages which open privileged ports (ports < 1024)." + * Not applicable + + "Add-ons and plugins to security-sensitive software (filters, + scanners, UI skins, etc)" + * Not applicable + [Quality assurance] - - [Dependencies] + "After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading." + + * Will work "out-of-the-box" once zfsutils-linux installed with 4.4 kernel + * Quick start ZFS reference guide written: + https://wiki.ubuntu.com/Kernel/Reference/ZFS + * Package contains main pages + + "The package must not ask debconf questions higher than medium if it is + going to be installed by default. The debconf questions must have + reasonable defaults." + + * Does not apply. + + + "There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package." + + * We have good upstream support from ZFS maintainers, response to bugs + file upstream is within 24 hours + + "The status of important bugs in Debian's, Ubuntu's, and upstream's bug + tracking systems must be evaluated. Links to these bug trackers need to + be provided in the MIR report. Important bugs must be pointed out and + discussed in the MIR report." + + Upsteam bug tracking: + ZFS - https://github.com/zfsonlinux/zfs/issues + SPL - https://github.com/zfsonlinux/spl/issues + Ubuntu bug tracking: + https://bugs.launchpad.net/ubuntu/+source/zfs-linux + + Resolved bugs: + LP#1521952 Add dependency on dh-systemd for zfs-linux + LP#1513124 Fix FTBFSs on ppc64el and arm64 + + "The package is maintained well in Debian/Ubuntu (check out the Debian PTS)" + Maintained by Kernel team in sync with kernel + + + Testing: We have several sets of ZFS specific regression tests in the + kernel team autotest test infrastructure: + + * The ZFS test suite: + http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs + * fstest (Linux POSIX file system test suite) + http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs_fstest + * ZFS I/O stress tests: + http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs_stress + * XFS generic tests on ZFS: + http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs_xfs_generic + + Note: currently working on a adt set of tests for ZFS to cover core features as + as set of kernel team smoke tests. + + [Dependencies]: + All build and binary dependencies (including Recommends:) must be + satisfyable in main (i. e. the preferred alternative must be in main). + If not, these dependencies need a separate MIR report (this can be a + separate bug or another task on the main MIR bug) + + zfs-linux: + * autotools-dev - Yes + * autoconf - Yes + * autogen - Yes + * automake - Yes + * debhelper - Yes + * dh-autoreconf - Yes + * dh-systemd - Yes + * dkms - Yes + * libselinux1-dev - Yes + * libtool - Yes + * uuid-dev - Yes + * zlib1g-dev - Yes [Standards compliance] + "Standards compliance: The package should meet the FHS and Debian Policy + standards. Major violations should be documented and justified. Also, the + source packaging should be reasonably easy to understand and maintain." + + Yes, I believe so. + [Maintenance] + "The package must have an acceptable level of maintenance + corresponding to its complexity: + Simple packages (e.g. language bindings, simple Perl modules, small + command-line programs, etc.) might not need very much maintenance effort, + and if they are maintained well in Debian we can just keep them synced + + More complex packages will usually need a developer or team of + developers paying attention to their bugs, whether that be in Ubuntu or + elsewhere (often Debian). Packages that deliver major new headline + features in Ubuntu need to have commitment from Ubuntu developers + willing to spend substantial time on them." + + * Falls into the complex package category. Colin King will primarily + maintain this package, with ownership owned and covered by the + Canonical Kernel Team. We have already performed SRU on ZFS in + Wily, showing we have the means to actively support this package. + + "All packages must have a designated "owning" team, regardless of + complexity, which is set as a package bug contact." + + * Yes, Canononical Kernel Team + https://launchpad.net/~canonical-kernel-team + [Background information] + "The package descriptions should explain the general purpose and context + of the package. Additional explanations/justifications should be done + in the MIR report." + + * Yes, package description covers the scope of the package + + "If the package was renamed recently, or has a different upstream name, + this needs to be explained in the MIR report." + + The ZFS on Linux provides ZFS packaged under the debian-zfs. Debian + provides zfsutils for *BSD based kernels (kFreeBSD). The package name + zfsutils-linux was chosen for Linux based arches.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1532198 Title: [MIR] zfs-linux To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1532198/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
