[Bug 1108935] Re: [MIR] websockify, spice-html5

Christian Ehrhardt  1108935 at bugs.launchpad.net
Fri Apr 5 07:51:13 UTC 2019 

[Duplication]
- no such function in main

[Embedded sources and static linking]
There is plenty of js code, but that is the actual program.
None of it seems to be an embedded copy, but as Seth already mentioned IMHO javascript experts are rare within Ubuntu so be sure when you own the package to be willing and able to support it.

- no static linking
- no golang


[Security]
There are numerous spice CVEs https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spice
As well as https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=html5
Which makes it hard to search for spice-html5, but I found none and Seth has given security Ack already.
Does not
- runs a daemon as root
- uses webkit1,2
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication (eg, pam), etc)

It does to some extend (as it is one side of a spice protocol connection):
- parses data formats
- processes arbitrary web content

[Common blockers]
- this does not actually build, so no FTBFS
- Unfortunately it has no test suite to run.
- openstack team is already subscribed
- not a python package

Not so good:
It has user visible messages in browser, but I found no translation.
The project just isn#t that far evolved

[Packaging red flags]
- no Ubuntu delta
- no lib -> no symbols tracking
- watch file present
- Lintian is happy except usual non critical warnings
- d/rules is very clean (no real build)
- no golang, so no extra considerations for that

Not so good:
As outlined in comment #24 this seems to be potentially not meant for production level.
But that is the decision of the team owning it to maintain it still (or consider alternatives).

Also the current version is 0.2.1 and we only have 1.7, but that is
fairly recent so that is more a "please update" for 19.10 then.

[Upstream red flags]
- overall it seems a bit incomplete, I asked about that in comment #24 but JamesPage said it is ok for their needs.
- malloc/sprintf / sudo all doesn't really apply as it is JS code that runs in the browsers sandboxed mode
- there open bugs and slow responses to them, but none critical for us
- no Dependency on webkit, qtwebkit, seed or libgoa-*

Not so good:
This is essentially a copy of the code without any checks.
If upstream adds even syntax errors we won't spot it.
I know JS isn't built, but maybe we could replace the build with a syntax checker and/or other validtion tools then?

[Summary]
This seems ok from the MIR teams POV in general.
There is a bit of a low quality expectation due to upstream considering themselves still only a prototype.
I'm somewhat afraid this will be pulled in only because it "should (tm)" work with websockify.
On my security concerns you have already Seth's Ack (who also wasn't too happy), so I'm not challengig that too much.
We just agreed on IRC to punt spice to next cycle:
[09:31] <jamespage> cpaelzer: lets push the spice-html5 to next cycle - sounds like we need to re-review anyway

You have an ACK from the MIR team under a bunch of constraints outlined
below which you should resolve before this can go into 19.10 then:

To ensure a base level (requirement for the ack)
- set someone down a day installing that fo real
- use it with Openstack
- (try to) use it without openstack as well
- is it really providing what you want/need?
TODO => State on the bug the result of your testing!
- check all the general Spice CVEs if any apply to this JS based code (might just not be tracked against spcie-html5 but apply)
TODO => State on the bug the result of your CVE check per CVE why they do not apply!
- update to 0.2.x
TODO => Then feel free to set it to "in progress" to reflect that it is approved.

To make it even better (optional)
- add JS checker as build replacement
- add some self-tests
- add autopkgtest based on your experiments above


** Changed in: spice-html5 (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to websockify in Ubuntu.
https://bugs.launchpad.net/bugs/1108935

Title:
  [MIR] websockify, spice-html5

Status in nova package in Ubuntu:
  Fix Released
Status in spice-html5 package in Ubuntu:
  Confirmed
Status in websockify package in Ubuntu:
  Fix Committed

Bug description:
  > websockify

  Availability: Currently in universe

  Rationale: Dependency for nova console access

  Security: No security history.

  Quality Assurance: Package works out of the box with no prompting. There is no major bugs in Ubuntu and the is no major bugs in Debian.
  Unit tests are run for py2 and py3 as part of the package build.

  Standards Compliance: FHS and Debian Policy compliant.

  Maintenance: Simple python package that the Ubuntu OpenStack Team will
  take care of.

  Dependencies: All are in main

  > spice-html5

  Availability: Currently in universe

  Rationale: Dependency for nova console access

  Security: No security history.

  Quality Assurance: Package works out of the box with no prompting.
  There is no major bugs in Ubuntu and the is no major bugs in Debian.
  No unit tests in the package AFAICT - html + javascript gluecode.

  Standards Compliance: FHS and Debian Policy compliant.

  Maintenance: Simple python package that the Ubuntu OpenStack Team will
  take care of.

  Dependencies: All are in main apart from websockify.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1108935/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list