[Bug 2008789] Re: [MIR] inetutils

[Mark Esler]

It appears that Debian dropped netkit-telnet for netkit-telnet-ssl.

https://packages.debian.org/sid/telnet-ssl

> SSL telnet replaces normal telnet using SSL authentication and
encryption. It interoperates with normal telnetd in both directions. It
checks if the other side is also talking SSL, if not it falls back to
normal telnet protocol.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to inetutils in Ubuntu.
https://bugs.launchpad.net/bugs/2008789

Title:
  [MIR] inetutils

Status in inetutils package in Ubuntu:
  New

Bug description:
  Dear reviewers, this is my first MIR. I answered all questions very
  carefully, but if something feels wrong, please look extra closely or
  ask me (~dviererbe) to reinvestigate a given answer.

  [Availability]
  The package inetutils-telnet is already in Ubuntu universe.
  The package inetutils-telnet build for the architectures it is designed to work on.
  It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
  Link to package [[https://launchpad.net/ubuntu/+source/inetutils|inetutils]]

  [Rationale]
   The package inetutils-telnet is required in Ubuntu main:
   - The package inetutils-telnet will not generally be useful for a large part of
     our user base, but is important/helpful still because it is commonly used for
     network diagnostics, like protocol testing of SMTP services.
   - Additionally telnet is still used for legacy industrial and scientific
     equipment.
   - Package inetutils-telnet covers similar use cases as netkit-telnet, but
     is better because netkit-telnet has been dropped altogether from Debian,
     thereby we want to replace it.

   - The package inetutils-telnet is required in Ubuntu main no later than
     April 13th 2023 due to the Ubuntu 23.04 Lunar Lobster release date.

  [Security]
   - Had security issues in the past:
     - CVE-2019-0053 (needs triage)
       - https://ubuntu.com/security/CVE-2019-0053
     - most likely not relevant:
       - CVE-2022-39028 (only related to telnetd)
         - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39028
         - https://ubuntu.com/security/CVE-2022-39028
       - CVE-2020-10188 (related to netcat):
         - https://www.openwall.com/lists/oss-security/2018/12/13/2
         - https://www.openwall.com/lists/oss-security/2018/12/14/8
       - CVE-2011-4862 (related to telnetd; not sure if relevant anymore)
         - https://ubuntu.com/security/CVE-2011-4862
         - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
     - security issues were patched or reached end of life

   - no `suid` or `sgid` binaries
   - no executables in `/sbin` and `/usr/sbin`
   - Package does not install services, timers or recurring jobs
   - Packages does not open privileged ports (ports < 1024)
   - Packages does not contain extensions to security-sensitive software
     (filters, scanners, plugins, UI skins, ...)
   - See list of files for:
     - amd64: https://packages.ubuntu.com/lunar/amd64/inetutils-telnet/filelist
     - arm64: https://packages.ubuntu.com/lunar/arm64/inetutils-telnet/filelist
     - armhf: https://packages.ubuntu.com/lunar/armhf/inetutils-telnet/filelist
     - i386: https://packages.ubuntu.com/lunar/i386/inetutils-telnet/filelist
     - ppc64el: https://packages.ubuntu.com/lunar/ppc64el/inetutils-telnet/filelist
     - s390x: https://packages.ubuntu.com/lunar/s390x/inetutils-telnet/filelist

  [Quality assurance - function/usage]
   - The package works well right after install

  [Quality assurance - maintenance]
   - The package is maintained well in Debian/Ubuntu/Upstream and does
     not have too many, long-term & critical, open bugs
     - Ubuntu https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug
     - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=inetutils
     - Upstream-Homepage: https://www.gnu.org/software/inetutils/
     - Upstream-Bugtracker: https://lists.gnu.org/archive/html/bug-inetutils/
   - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
   - The package runs a test suite on build time, if it fails
     it makes the build fail

   - The package runs an autopkgtest, and its builds are currently passing on
     amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
   - link to builds (logs can be accessed through the web UI)
     https://launchpad.net/ubuntu/lunar/+builds?build_text=inetutils&build_state=built&arch_tag=all
   - Link to autopkgtests https://autopkgtest.ubuntu.com/packages/i/inetutils

   - The package does have failing autopkgtests tests right now, but they
     allways fail (See: https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug/2009814)
     This is okay because the failure occures at the inetutils-ping package.
     The Foundations Team is working on a fix.

  [Quality assurance - packaging]
   - debian/watch is present and works
   - debian/control defines a correct Maintainer field

   - This package does not yield massive lintian Warnings, Errors
   - Recent build log of inetutils: https://launchpad.net/ubuntu/lunar/+builds?build_text=inetutils&build_state=all&arch_tag=all
   - Full output of `lintian --pedantic` is attached as an extra post to this bug.
   - A lintian overrides is present, but ok because it is unused
   - The lintian Error 'inetutils changes: bad-distribution-in-changes-file lunar-amd64'
     emitted in the build log, this is because the debian/changelog file
     specifies 'unstable' as distribution.

   - This package does not rely on obsolete or about to be demoted packages.
     (The dependencies had recent updates and I could not find any open bug
     ticket that indicates a upcoming demotion)
   - This package has no python2 or GTK2 dependencies

   - The package will be installed by default, but does not ask debconf
     questions

   - Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/inetutils/tree/debian/control
   - There is still the complication that building/testing inetutils-telnet
     can fail because of other inetutils-* packages.

  [UI standards]
    - Application is not end-user facing (does not need translation)
    - End-user applications without desktop file, not needed because it is a
      command line tool for sysadmins

  [Dependencies]
   - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
   - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
   - Owning Team will be Ubuntu Foundations
   - Ubuntu Foundations Bugs is already subscribed to the package

   - This does not use static builds
   - This does not use vendored code
   - This package is not rust based

  [Background information]
   - The Package description explains the package well
   - Debian transitioned its default `telnet` client from netkit-telnet to
     inetutils-telnet. This transition was postponed in Ubuntu for kinetic by
     having ubuntu-standard Recommend `netkit-telnet` instead of `telnet`.
     But now, netkit-telnet has been dropped altogether from Debian and
     process-removals is prompting us to also delete it from lunar.
     (See: https://packages.debian.org/bookworm/telnet)
   - other binary packages from this inetutils might be brought into main
     accidentally, or even intentionally but with limited oversight, in the future.
   - mixed main/universe is a foreign concept to users

  Seeded in lunar.standard as a replacement for netkit-telnet:
  https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/commit/?h=lunar&id=349619dc49fdd0695c0bd7f9ae72f535809c2657

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug/2008789/+subscriptions