[Bug 1790855] Re: [MIR] gpsd

Christian Ehrhardt  1790855 at bugs.launchpad.net
Wed Jan 23 10:17:09 UTC 2019 

Hi,
all packaging quality issues are adressed in 3.18.1-1 which is in Debian experimental.
The maintainer wants to wait to do the transition until Buster is released.

But we could continue our evaluation here.
1. I'd ask to re-evaluate the package at version 3.18.1-1
   That has fixed all lintian --pedantic warnings and got rid of python2
2. once that is ok we could ask the security Team to do the reivew to eventually be ready once 
   Debian makes the move to 3.18.1-1

Setting the state back to new to be re-evaluated.

** Changed in: gpsd (Ubuntu)
       Status: Incomplete => New

** Changed in: gpsd (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => MIR approval team (ubuntu-mir)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gpsd in Ubuntu.
https://bugs.launchpad.net/bugs/1790855

Title:
  [MIR] gpsd

Status in gpsd package in Ubuntu:
  New

Bug description:
  FYI: We want to only seed the two binary packages:
  - gpsd
  - libgpsd23
  But none of the others (further bindings, tools, ...)
  They will stay "only" a suggest from Chrony, but we want to add them to the supported seed to reflect their elevated support status.

  Availability: GPSD is available since quite a while and builds for all
  architectures

  Rationale:
  - The package is the de-facto way to feed GPS HW-based time info into chrony which became the main NTP server with Bionic.
  - All users using HW assisted NTP would be glad to have this in main
  - It is not a dependency for chrony, but we'd seed it to get into main and add a suggest to chrony (while HW people want it the majority of the community is good without, so no depends/recommend)
  - in some way the replacement ntp->chrony was only half of it as ntp had ntp-server AND GPS reading capabilties. This MIR fills the gap created by that.

  Security:
  - there two (fairly old) CVEs aganst GPSD
    => https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gpsd
  - since the above nothing came up, the project itself is active and vital IMHO
    => https://www.openhub.net/p/gpsd
  - One of the issues has a USN, maybe the security team remembers if that was ok or bad back then
    => https://usn.ubuntu.com/1820-1/

  Quality assurance:
  - After installing the package just needs to be told on which device to work, then it will gather GPS data (that is as minimal as it can be I'd think).
  - no debconf on install
  - long term this had a few crashes back in 2012-2014 but not much since then (a few actually unrelatred apport reports on postinst issues); nothing should stop considering this for main IMHO
  => https://bugs.launchpad.net/ubuntu/+source/gpsd
  => https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=gpsd
  - The one related important bug IMHO is bug 1790496 which will add apparmor to GPSD which I'd prefer when we grant it main (I wait on a security review there)
  - "exotic hardware" is part of the GPSD story we (server team) have two kinds of receivers to test but there is a vast array of potential receivers which we will not be able to test all of them.
  - a debian/watch file is in place

  UI standards:
  - not a UI package

  Dependencies:
  - Dependencies are sane (all in main and not deprecated)
    GPSD:
    Depends: netbase | systemd-sysv, lsb-base (>= 3.2-13), adduser (>= 3.34), libbluetooth3 (>= 4.91), libc6 (>= 2.27), libdbus-1-3 (>= 1.9.14), libusb-1.0-0 (>= 2:1.0.8), libgps23 (= 3.17-5build1)
    Recommends: udev, python
    LIBGPS23
    Depends: libc6 (>= 2.15), libdbus-1-3 (>= 1.9.14), libstdc++6 (>= 5)
  - There are a few universe build-depends, but nothing totally outdated IMHO

  Standards compliance:
  - meets the FHS
  - follows (an older) standard 3.9.2

  Maintenance:
  - so far was mostly a sync, only now we pick up more work on it.
  - DPB confirmed the server team would take over package subscription and maintainership as owning team

  Background information:
  Receiving GPS signals just to do so would be no core value of Ubuntu and not main-worthy. But being the de-facto way to feed the main ntp server (chrony) in Ubunutu with GPS data to improve time makes it a candidate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gpsd/+bug/1790855/+subscriptions

More information about the foundations-bugs mailing list