[Bug 1867813] Re: [MIR] linux-firmware-raspi2 to restricted

Seth Arnold 1867813 at bugs.launchpad.net
Fri Oct 16 23:10:07 UTC 2020 

I reviewed linux-firmware-raspi2 version 2-0ubuntu1 as checked into 
groovy. This is very quick pass over the package.

My concerns for this package are nearly identical to my concerns given in 
https://bugs.launchpad.net/ubuntu/+source/rpi-eeprom/+bug/1895137/comments/11
Thanks Dave for anticipating similar expectations for this package:
https://bugs.launchpad.net/ubuntu/+source/linux-firmware-raspi2/+bug/1867813/comments/13

One concern I have with this package is the get-orig-source target 
downloads files without strong verification of file contents, it is 
trusting the github infrastructure and x.509 ecosystem to make sure 
incorrect files aren't downloaded by accident.

This isn't ideal but also isn't restricted to this one package.

Security team ACK for promoting linux-firmware-raspi2 to restricted.

Thanks


** Changed in: linux-firmware-raspi2 (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to linux-firmware-raspi2 in
Ubuntu.
https://bugs.launchpad.net/bugs/1867813

Title:
  [MIR] linux-firmware-raspi2 to restricted

Status in linux-firmware-raspi2 package in Ubuntu:
  Confirmed

Bug description:
  1. Availability: The package is already available in multiverse and is
  already used on all of our Ubuntu Raspberry Pi images.

  2. Rationale: As mentioned above, the package is already used on all
  of our Ubuntu Raspberry Pi preinstalled images (raspi) - and has been
  used there since the first raspi2 images have been supported. It is
  essentially a mistake that the package is still in multiverse, as we
  should not build images using packages outside of main and restricted.

  3. Security: So far there has been no CVE or any security
  vulnerability reported for our package. Generally the package consists
  of binary blobs coming from the Raspberry Pi foundation.

  4. Quality assurance: The package is easy to test and verify, as this
  is an essential package to the operation of Ubuntu on Raspberry Pi. It
  is maintained by Ubuntu Foundations, along with extensive QA on
  various Pi platforms.

  5. Dependencies: The package has no dependencies (only shipping binary
  blobs).

  6. Standards compliance: The licensing of the binaries is a bit ugly,
  but all the proprietary bits are well documented in debian/copyright.

  7. Maintenance: The package is actively maintained by the Ubuntu
  Foundations team.

  8. Background information:

  As mentioned, this package is already used for all our images, so we
  are already treating it as a package from restricted per-se. So moving
  the package to restricted should only be a formality. All the hosted
  binary blobs are essential to our Ubuntu raspi experience, so we can't
  really do much without them.

  Another important note: this package is not part of any seed right
  now, but instead pulled in via livecd-rootfs directly when building
  raspi images (we'll figure something better for the future).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-firmware-raspi2/+bug/1867813/+subscriptions

More information about the foundations-bugs mailing list