Review for Source Package: libsass [Summary]
The package is needed in ubuntu main as a new runtime dependency of Openstack Horizon that we already support. The upstream package is deprecated. However, as per README, it will continue to receive maintenance: "Warning: LibSass is deprecated. While it will continue to receive maintenance releases indefinitely, there are no plans to add additional features or compatibility with any new CSS or Sass features." The upstream Openstack Horizon decided to pull libsass in favor of pyscss as lesser evil. Pyscss has no updates since 2022. That said, and taking into account the upstream libsass will continue to receive indefinitely maintenance releases we're good to go. Static builds are present but ubuntu-openstack team is aware of the implications and commit to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM). It has a history of CVEs and the package can parse user provided files (css) which is not a trusted source. The package has no build time tests. It is not clear whether it is actually lto disabled: It does pop up in the lto-disable list: $ cat /usr/share/lto-disabled-list/lto-disabled-list | grep libsass libsass any and there is this bug : https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/1936964 But debian/rules: export DEB_BUILD_MAINT_OPTIONS=optimize=+lto and also -flto=auto flag present in build output. Minor issue: Upstream latest release is 3.6.6, ubuntu/debian is 3.6.5+20231221-3. However all the code from upstream 3.6.6 is in the ubuntu 3.6.5+20231221-3. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: libsass1, libsass-dev Specific binary packages built, but NOT to be promoted to main: <None> Notes: Required TODOs: 1. Clarify what happens with lto and fix appropriately. 2. Add build time tests. Recommended TODOs: 3. Update the debian/ubuntu version to match upstream. 4. Fix if possible build warnings. - The package should get a team bug subscriber before being promoted [Rationale, Duplication and Ownership] There is no better alternative in main providing the same functionality. The ubuntu-opestack team is committed to own long term maintenance of this package. The rationale given in the report seems valid and useful for Ubuntu [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard - Does not include vendored code Problems: - static builds present [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: - History of CVEs does look concerning - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. [Common blockers] OK: - does not FTBFS currently - does have a non-trivial test suite that runs as autopkgtest - This does not need special HW for build or test - no new python2 dependency Problems: - does not a have test suite that runs at build time [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place. - debian/watch is present and looks ok (if needed, e.g. non-native) - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean Problems: - Upsteam is deprecated - Upstream update history has not recieved an update for over a year now - Debian/Ubuntu update history follows upstream - Upstream latest release is 3.6.6, ubuntu/debian is 3.6.5+20231221-3 - It pops-up in the lto-disabled list [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid / setgid - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: - warnings present during the build - important open bugs (crashers, etc) in Debian and Ubuntu ** Changed in: libsass (Ubuntu) Status: New => Incomplete ** Changed in: libsass (Ubuntu) Assignee: Ioanna Alifieraki (joalif) => James Page (james-page) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095582 Title: [MIR] libsass To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/2095582/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
