[Bug 2051850] Re: [MIR] trace-cmd

Nick Rosbrook 2051850 at bugs.launchpad.net
Mon Apr 8 13:47:47 UTC 2024 

I uploaded trace-cmd with some new autopkgtests. The trace-utest tests
are not done at build time because these require root, or at least the
ability to read /sys/kernel/tracing/. Hence, unfortunately we cannot
reasonably add build-time tests right now.

The autopkgtests I added are looking good[1], except for infra issues on
amd64, and it looks like I will need to do a quick follow-up to make
trace-utest skippable so it does not run on armhf.

[1] https://autopkgtest.ubuntu.com/packages/trace-cmd

** Changed in: trace-cmd (Ubuntu)
       Status: Fix Released => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to trace-cmd in Ubuntu.
https://bugs.launchpad.net/bugs/2051850

Title:
  [MIR] trace-cmd

Status in trace-cmd package in Ubuntu:
  In Progress

Bug description:
  [Availability]
  The package trace-cmd is already in Ubuntu universe (Debian sync)
  The package trace-cmd build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/trace-cmd

  [Rationale]
  - The package trace-cmd is required in Ubuntu main to help improve the experience of performance engineers working with Ubuntu
  - The package trace-cmd will not generally be useful for a large part of our user base, but is helpful still because it will help enhance application developer experience while trying to find performance gain.
  - There is no other/better way to solve this that is already in main or should go universe->main instead of this.
  - The package trace-cmd is required in Ubuntu main no later than Feb 29 2024 (Feature Freeze) due to the will to have performance/tracing tools in Noble (LTS).

  [Security]
  - No CVEs/security issues in this software in the past. But one bug regarding a buffer overflow was found (see LP: #1955129) but not clearly identified as CVE/security bug.
  - No `suid` or `sgid` binaries
  - No executable in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs.
  - Based on some quick tests, it looks like running trace-cmd is only making sense if run as root.
  - Package can open privileged ports (ports < 1024) to listen for incoming connections to receive traces.
  - I did not notice any use of apparmor/seccomp or any feature that could help mitigate an exploitation.
  - Based on the previous elements, a more in-depth security review might be recommended.
  - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
     not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=trace-cmd
    - Upstream's bug tracker https://bugzilla.kernel.org/buglist.cgi?component=Trace-cmd%2FKernelshark
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does have a test suite but it is not run at build time. I will submit a patch to do so.
  - The package runs an autopkgtest, but is a "superficial" one. It is currently passing on amd64, arm64, ppc64el, s390x:
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/t/trace-cmd/20240117_073638_c1c31@/log.gz
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/arm64/t/trace-cmd/20240119_054257_84abe@/log.gz
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/ppc64el/t/trace-cmd/20240117_070636_bdbfa@/log.gz
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/s390x/t/trace-cmd/20240117_070802_84abe@/log.gz
  - The package does have failing autopkgtests for armhf tests right now, but it seems they always failed. A quick look at the error (Permission denied) suggest it might be fixable.

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - The package is planned to be installed by default, but does not ask debconf questions
  - Packaging and build is easy https://git.launchpad.net/ubuntu/+source/trace-cmd/tree/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - There are further dependencies that are not yet in main, MIR for them will follow:
    - https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916
    - https://bugs.launchpad.net/ubuntu/+source/libtracefs/+bug/2051925

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be Foundations and I have their acknowledgement for that commitment
  - The future owning team is not yet subscribed, but will subscribe to the package before promotion
  - The current bug subscriber (~chasedouglas) does not seem to be active anymore. Should we replace them by someone else?
  - This does not use static builds
  - This does not use vendored code
  - The package was test rebuilt in a PPA recently https://launchpadlibrarian.net/712030593/buildlog_ubuntu-noble-amd64.trace-cmd_3.2-1build1_BUILDING.txt.gz

  [Background information]
  The Package description explains the package well.
  Upstream Name is trace-cmd
  Link to upstream project https://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug/2051850/+subscriptions

More information about the foundations-bugs mailing list