[Bug 1965115] Re: [MIR] nullboot

Christian Ehrhardt  1965115 at bugs.launchpad.net
Wed Feb 14 08:49:19 UTC 2024 

Thanks for everyone being involved, this is indeed ready for promotion to main.
Thanks for outlining current verification steps until there is automation.

There only is:
 nullboot | 0.5.0-0ubuntu1         | noble/universe           | source, amd64, arm64


Pulled in by Ubuntu.Noble supported-cloud seed

Override component to main
nullboot 0.5.0-0ubuntu1 in noble: universe/golang -> main
nullboot 0.5.0-0ubuntu1 in noble amd64: universe/golang/optional/100% -> main
nullboot 0.5.0-0ubuntu1 in noble arm64: universe/golang/optional/100% -> main
Override [y|N]? y
3 publications overridden.

** Changed in: nullboot (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nullboot in Ubuntu.
https://bugs.launchpad.net/bugs/1965115

Title:
  [MIR] nullboot

Status in nullboot package in Ubuntu:
  Fix Released

Bug description:
  [Availability]
  nullboot is available in jammy universe on amd64 and arm64, which are the only architectures we care about it for the foreseeable future

  It currently builds and works for architetcures: arm64

  Link to package https://launchpad.net/ubuntu/+source/nullboot

  [Rationale]
  nullboot is required for enabling a partner cloud offering with linux-azure-fde

  [Security]
  nullboot is a new software produced by Canonical. It produces a Go binary that measures boot binaries and does some sealing, to allow automatic full disk encryption. It only operates on trusted data (firmware data and kernels in /usr/lib/linux/efi).

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Package does install a dpkg trigger on /usr/lib/linux/efi
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  This package is not usable on its own, it needs a kernel.efi package to be installed such as linux-azure-fde. It requires a TPM.

  [Quality assurance - maintenance]
  Foundations maintains this software

  [Quality assurance - testing]
  The test suite run at build time covers about 80% of the code. The code was mostly developed using a test-driven development approach, including abstractions of file system and EFI variables to allow for extensive testing.

  ok      github.com/canonical/nullboot/efibootmgr        0.142s
  coverage: 81.6% of statements

  The same test suite is run as an autopkgtest. End-to-end testing
  should be done by consumers of nullboot such as linux-azure-fde, but
  is very involved as it needs to happen in a qemu with tpm setup and
  stuff, so it might not happen.

  [Quality assurance - packaging]
  Lintian is a bit overly protective, but

  W: nullboot-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/03/d7295826b5850df200032deca916f3d07a46ff.debug]
  W: nullboot: hardening-no-pie [usr/bin/nullbootctl]

  ^- Go toolchain worries

  W: nullboot: no-manual-page usr/bin/nullbootctl

  ^- maybe it would be nicer to have it live in usr/libexec, I don't
  know.

  W: nullboot: unknown-field Important
  W: nullboot: unknown-field Protected

  ^- these are to be expected.

  - Lintian overrides are not present
  - debian/watch is not present because it is anative package
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
    questions higher than medium (no questions, installed only on select cloud images)
  - Packaging and build is easy, https://github.com/canonical/nullboot/tree/ubuntu/main/debian

  [UI standards]
  - Application is not end-user facing (does not need translation)
  Application is not _exactly_ end user interfacing, and certainly does not have translations. It runs as part of triggers when select kernel packages are installed and might log some messages there.

  [Dependencies]
   - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package violates Debian Policy, it vendorizes various Go libraries (in a orig-vendor.tar.gz)

  [Maintenance/Owner]
  - Owning Team will be Foundations
  - Team is not yet, but will subscribe to the package before promotion

  - The team Foundations is aware of the implications by a static build and
    commits to test no-change-rebuilds and to fix any issues found for the
  - The team Foundations is aware of the implications of vendored code and (as
    alerted by the security team) commits to provide updates to the security
    team for any affected vendored code for the lifetime of the release
    (including ESM).

  [Background information]
  The upstream nullboot project and packaging branches are located at https://github.com/canonical/nullboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nullboot/+bug/1965115/+subscriptions

More information about the foundations-bugs mailing list