[Bug 1948748] Re: [MIR] swtpm

Christian Ehrhardt  1948748 at bugs.launchpad.net
Tue Nov 9 07:58:24 UTC 2021 

> > - Fix the ppc64 FTBFS
> >   https://launchpadlibrarian.net/557789130/buildlog_ubuntu-impish-ppc64el.libtpms_0.8.2-1ubuntu1_BUILDING.txt.gz
...
>  Neither issue indicates a problem with
> the quality of the code, so I don't think this should block support of the
> package on architectures where it is currently supportable.

Agreed, thanks for having a look at the details

> > Problems:
> > - important open bugs (crashers, etc) in Debian or Ubuntu
> >   IMHO there is one worthile to track (but no immediate action needed)
> >   FIPS:  https://github.com/stefanberger/libtpms/issues/51
>
> Well, as far as I'm aware Canonical has no product for FIPS certification of
> a virtualization stack, so I don't see any reason that FIPS for libtpms
> would be "important" for us.

Yeah, as I said this was "track (but no immediate action needed)" and
mostly meant as a hint for awareness if we ever need to work on it.


> > Recommended TODOs:
> > - While the lib is internal, .symbols tracking usually is cheap and protects
> >   even internal libs from some mistakes, consider adding it.
>
> I disagree that this is worthwhile; any changes to the symbols of an
> internal library that cause us to have to make changes to a symbols file are
> busywork.

It has helped in some odd cases, but yeah if you prefer iti without
that or consider it busy-work then I'm totally ok to leave it as is
(that is why it was only in the recommended section).

> > - evaluate the possibility and impact of having "tcsd" in the build
> environment
>
> The problem is that the trousers package is itself buggy and frequently
> fails to install, so build-depending on it for the testsuite is not an
> improvement in QA.

Ok, still thanks for checking that

>
> I believe that addresses everything except for the security review.

Thank you for resolving all the little itches and scratches on this case!
I agree, I think we are good except  for the security review.

MIR team ACK (all mandatory requests from the initial review are
fulfilled).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1948748

Title:
  [MIR] swtpm

Status in autogen package in Ubuntu:
  Won't Fix
Status in gnutls28 package in Ubuntu:
  Won't Fix
Status in libtpms package in Ubuntu:
  New
Status in swtpm package in Ubuntu:
  New

Bug description:
  [Availability]
  Available in universe in jammy.

  [Rationale]
  Needed in order to provide TPM functionality to VMs through kvm/libvirt; should be a Recommends: of qemu-system-x86

  [Security]
  Several security bugs found and fixed in libtpms this year http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libtpms

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3746 currently
  remains unfixed in the version present in jammy (DoS bug).

  [Quality assurance]
  Limited history: package not present in Debian, and only in Ubuntu since jammy.

  [UI standards]
  N/A

  [Dependencies]
  swtpm and libtpms; no further dependencies outside of main.

  [Standards compliance]
  OK

  [Maintenance]
  To be maintained by the Foundations Team.

  [Background information]
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autogen/+bug/1948748/+subscriptions

More information about the foundations-bugs mailing list