-- Main inclusion re-review -- [Summary]
Dracut is an initrd generation tool which is alternative to initramfs- tools, currently used by Ubuntu. The rationale behind moving from initramfs-tools to dracut is detailed in this specification - https://discourse.ubuntu.com/t/spec-switch-to-dracut/54776. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. I would suggest a security re-review, so I'll assign ubuntu-security. List of specific binary packages to be promoted to main: all except dracut-install which is already in main Specific binary packages built, but NOT to be promoted to main: None Notes #2.0 - The same MIR bug was used to review and promote the dracut-install binary package to main. This review is for the rest of the binary packages of src:dracut. #2.1 - No more CVEs have been reported against dracut since the previous security review. #2.2 - The Debcrafters team is now subscribed to dracut. Required TODOs #2.3 - dracut-network Recommends iscsiuio which is in universe. See the [Dependencies] section. We could either drop iscsiuio to Suggests or do an additional MIR for it. #2.4 - Address the localization related bug-report noted by the reporter LP#2088413 Recommended TODOs #2.5 - The complexity involved in running the upstream test-suite as build-time tests is noted. However, would it be possible to add some simple tests instead? #2.6 - Address pending “Later TODOs” #3 and #4 from the previous review https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/comments/1 #2.7 - It has been mentioned earlier that the cpio support is being addressed in 3cpio. It might help to understand how 3cpio would be integrated and shipped. Is 3cpio ready to be Debian packaged and MIR’d in the current release cycle? #2.8 - The dracut-network package has four alternative dependencies isc-dhcp-client | systemd | connman | network-manager Among these isc-dhcp-client and connman are not in main. We could probably have systemd as the primary alternative? #2.9 - Enable autopkgtests on arm64, i386 and riscv64 https://autopkgtest.ubuntu.com/packages/dracut #2.10 - Address lintian warnings as noted in [Packaging red flags] #2.11 - Address incautious use of malloc as noted in [Upstream red flags], through a fix or an upstream bug report. [Rationale, Duplication and Ownership] OK: - There is no other package in main providing the same functionality => The initramfs-tools package provides the same functionality. But that is OK because, this MIR is part of a planned transition from initramfs-tools to dracut, for creating the initrd. - A team is committed to own long term maintenance of this package => The Debcrafters team - The rationale given in the report seems valid and useful for Ubuntu => The rationale is well documented in https://discourse.ubuntu.com/t/spec-switch-to-dracut/54776 Problems: None [Dependencies] OK: - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now Problems: - SRCPKG checked with `check-mir` => dracut-network Recommends iscsiuio which is in universe => dracut-network Recommends isc-dhcp-client which is in universe but the systemd and network-manager alternatives are in main [Embedded sources and static linking] OK: - no static linking through Built-Using or Static-Built-Using - does not have unexpected Built-Using entries - not a Go package - not a Rust package Problems: - embedded source present => dracut_cpio vendors third_party/crosvm, but this is built only if configured with --enable-dracut-cpio, which we don't currently use [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop Problems: none - history of CVEs does not look concerning => No new CVEs added since the previous CVE review by Security for the dracut-install MIR - dracut does deal with security attestation and system authentication => request a Security re-review because the previous review is almost 2 years old [Common blockers] OK: - does not FTBFS currently - does have a non-trivial test suite that runs as autopkgtest - this does not need special HW for build or test - no new python2 dependency Problems: - does not have a test suite that runs at build time => from reporter: the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code - debian/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - debian/rules is rather clean - it is not on the lto-disabled-list Problems: - no massive lintian warnings => however, there is a bunch of them related to the man pages W: dracut-core: groff-message troff:<standard input>:1003: warning [p 9, 1.7i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:2] W: dracut-core: groff-message troff:<standard input>:1003: warning [p 9, 1.7i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:2] W: dracut-core: groff-message troff:<standard input>:1019: warning [p 9, 3.3i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:3] W: dracut-core: groff-message troff:<standard input>:1019: warning [p 9, 3.3i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:3] W: dracut-core: groff-message troff:<standard input>:1256: warning [p 11, 3.7i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:4] W: dracut-core: groff-message troff:<standard input>:1256: warning [p 11, 3.7i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:4] W: dracut-core: groff-message troff:<standard input>:1309: warning [p 11, 7.8i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:5] W: dracut-core: groff-message troff:<standard input>:1309: warning [p 11, 7.8i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:5] W: dracut-core: groff-message troff:<standard input>:181: warning: macro 'an-trap' not defined [usr/share/man/man8/dracut.8.gz:1] W: dracut-core: groff-message troff:<standard input>:537: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.cmdline.7.gz:1] W: dracut-core: groff-message troff:<standard input>:537: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.kernel.7.gz:1] W: dracut-core: groff-message troff:<standard input>:68: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.modules.7.gz:1] W: dracut-core: groff-message troff:<standard input>:72: warning: macro 'an-trap' not defined [usr/share/man/man5/dracut.conf.5.gz:1] [Upstream red flags] OK: - no Errors/warnings during the build - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid / setgid - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks Problems: - some incautious use of malloc => src/install/dracut-install.c:576, malloc'd memory not free'd - open bugs (crashers, etc) in Debian or Ubuntu => Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103457 Ubuntu: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2032141 - no translation present, but none needed for this case (user visible)? => open translation-related bug https://bugs.launchpad.net/ubuntu/+source/plymouth/+bug/2088413 ** Bug watch added: Debian Bug tracker #1103457 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103457 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2031304 Title: [MIR] dracut To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
