[Bug 2031304] Re: [MIR] dracut

Christian Ehrhardt  2031304 at bugs.launchpad.net
Wed Aug 23 11:57:08 UTC 2023 

Thanks, this is now ready for the agreed reduced set

Override component to main
dracut 059-4ubuntu2 in mantic: universe/utils -> main
Override [y|N]? y
1 publication overridden.

Override component to main
dracut-install 059-4ubuntu2 in mantic amd64: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic arm64: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic armhf: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic ppc64el: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic riscv64: universe/utils/optional/100% -> main
dracut-install 059-4ubuntu2 in mantic s390x: universe/utils/optional/100% -> main
Override [y|N]? y
6 publications overridden.

With that done, it now enters the "second phase".
Which is "how about promoting more of src:dracut".
For that bdrung will work on the list of TODOs out of the MIR review and ping back once all of them would be ready for re-evaluation.
While at that, this can enter the security review queue (assigning to ubuntu-security).
Overall the state goes back to "new" for this.

** Changed in: dracut (Ubuntu)
     Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dracut in Ubuntu.
Matching subscriptions: dracut
https://bugs.launchpad.net/bugs/2031304

Title:
  [MIR] dracut

Status in dracut package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  The package dracut is already in Ubuntu universe.
  The package dracut build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/dracut

  [Rationale]
  The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
  The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.

  To my knowledge there are only initramfs-tools (main) and dracut
  (universe) in the archive that cover the use case. initramfs-tools is
  Debian-specific and dracut tries to be a distro-agnostic solution.

  dracut-core is already used by Ubuntu Core:
  https://github.com/snapcore/core-initrd/

  The package dracut is required in Ubuntu main the feature freezy next
  Thursday to land the change in bug #2031185.

  [Security]
  - Had 5 security issues in the past
    - https://ubuntu.com/security/CVE-2016-8637 can disclose local information
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
    - https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
    - https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
    - https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
  - no `suid` or `sgid` binaries
  - Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
    - /lib/systemd/system/dracut-cmdline.service
    - /lib/systemd/system/dracut-initqueue.service
    - /lib/systemd/system/dracut-mount.service
    - /lib/systemd/system/dracut-pre-mount.service
    - /lib/systemd/system/dracut-pre-pivot.service
    - /lib/systemd/system/dracut-pre-trigger.service
    - /lib/systemd/system/dracut-pre-udev.service
    - /lib/systemd/system/dracut-shutdown-onfailure.service
    - /lib/systemd/system/dracut-shutdown.service
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
    - Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
  - The package runs an autopkgtest, and is currently passing on
    amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
  - I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
    questions higher than medium
  - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote

  [Standards compliance]
  - This package violates FHS or Debian Policy:
    - Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do

  [Maintenance/Owner]
  - Owning Team will be Foundations team
  - Foundations Team is not yet, but will subscribe to the package before promotion
  - This does not use static builds
  - This does not use vendored code
  - This does not use vendored code
  - This package is not rust based (but that might change in the future)
  - The package has been built in the archive more recently than the last
    test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is dracut
  Link to upstream project: https://github.com/dracutdevs/dracut/wiki/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions

More information about the foundations-bugs mailing list