Review for Source Package: azure-proxy-agent [Summary] The essence of the review result from the MIR POV is that this is a well-constructed package with ample testing, good documentation, no concerning history, and an upstream that is likely to maintain the project to a high degree of quality. MIR team ACK, pending a security review due to the new nature of the package and the fact that it is a root system daemon that can process web content.
List of specific binary packages to be promoted to main: azure-proxy- agent. Notes: Recommended TODOs: The package should get a team bug subscriber before being promoted. The initial MIR submission suggests cpc-azure. [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality. A team is committed to own long term maintenance of this package (cpc-azure). The rationale given in the report seems valid and useful for Ubuntu. [Dependencies] OK: no other Dependencies to MIR due to this azure-proxy-agent checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: no embedded source present no static linking does not have unexpected Built-Using entries OK: not a go package, no extra constraints to consider in that regard Rust package that has all dependencies vendored. It does neither have *Built-Using (after build). Nor does the build log indicate built-in sources that are missed to be reported as Built-Using. Vendoring appears to be done correctly as the orig-rust-vendor.tar.xz is unpacked and the usage is clear in the logs with ‘cargo build –offline …’. See buildlog. Includes vendored code, the package has documented how to refresh this code at debian/README.source. Problems: None [Security] OK: History of CVEs does not look concerning - very new package Appears to run daemon as root as ‘User=’ or ‘Group=’ not defined in systemd service file - runs azure-proxy-agent.service but with ProtectSystem=strict. System sandboxing appears to be in place. Does not use webkit1,2 Does not use lib*v8 directly Does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. Does not expose any external endpoint (port/socket/... or similar). The service only makes outgoing connections to 127.0.0.1 168.63.129.16 169.254.169.254 (a known Azure DNS endpoint). Does not process arbitrary web content - does process web content but the service is a specialized proxy so it is not arbitrary. Does use centralized online account as a core attribute - Microsoft Azure Does not integrate arbitrary javascript into the desktop Does not deal with system authentication (eg, pam), etc) Does not deal with security attestation (secure boot, tpm, signatures) Does not deal with cryptography - package uses crate ‘hyper’ which deals in HTTP. No other encryption software was found in the package. This makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: Due to the new nature of the package and the fact that it runs a root system daemon processing web content, I believe a security review is necessary for this package. [Common blockers] OK: does not FTBFS currently - checked manually on Questing VM does have a test suite that runs at build time - ‘cargo test’ in d/rules test suite fails will fail the build upon error - ‘cargo test’ exits non-zero on failure and no ‘ignores’ are included. does have a non-trivial test suite that runs as autopkgtest - smoke test in d/tests that checks if azure-proxy-agent.service is running and tries to reach it. Fails if not. This does not need special HW for build or test if a non-trivial test on this level does not make sense (the lib alone is only doing rather simple things), is the overall solution (app+libs) extensively covered i.e. via end to end autopkgtest? Yes, the smoke test run checks if azure-proxy-agent.service is running and tries to reach it. The test fails if not. no new python2 dependency Problems: None [Packaging red flags] OK: Ubuntu does not carry a delta symbols tracking not applicable for this kind of code. debian/watch is present and looks ok (if needed, e.g. non-native) Upstream update history is good - updates several times per week. Debian/Ubuntu update history is good. The package is new this year but has had several updates already. The current version is one patch behind upstream (1.0.30 Ubuntu vs. 1.0.31 upstream) promoting this does not seem to cause issues for MOTUs that so far maintained the package. no massive Lintian warnings debian/rules is rather clean It is not on the lto-disabled list Problems: None [Upstream red flags] None - active project maintained by the Azure team. https://github.com/Azure/GuestProxyAgent OK: no Errors/warnings during the build no incautious use of malloc/sprintf (as far as we can check it, Rust ) no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) No use of user ‘nobody’ outside of tests. The command ‘setuid’ appears in rust vendored libraries ‘nix’, ‘uzers’ and ‘libc’, but ok because the main application does not call setuid or guid. no important open bugs (crashers, etc) in Debian or Ubuntu no dependency on webkit, qtwebkit or libseed not part of the UI for extra checks no translation present, but none needed for this case. Not user-visible. Problems: None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2112359 Title: [MIR] azure-proxy-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/azure-proxy-agent/+bug/2112359/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
