Ubuntu
friends package

[MIR] circle of friends

Bug #1157732 reported by Ken VanDine
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
accounts-qml-module (Ubuntu)
Fix Released
Undecided
Unassigned
friends (Ubuntu)
Fix Released
Undecided
Unassigned
libfriends (Ubuntu)
Fix Released
Undecided
Unassigned
qml-friends (Ubuntu)
Fix Released
Undecided
Unassigned
qtdeclarative-opensource-src (Ubuntu)
Fix Released
Undecided
Unassigned
qtjsbackend-opensource-src (Ubuntu)
Fix Released
Undecided
Unassigned
qtxmlpatterns-opensource-src (Ubuntu)
Fix Released
Undecided
Unassigned
ubuntu-ui-toolkit (Ubuntu)
Fix Released
Undecided
Unassigned
unity-lens-friends (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Availability: in universe: amd64, i386, armhf, powerpc

Rationale: The Ubuntu SDK (ubuntu-ui-toolkit), qml-friends and accounts-qml-module are required for the latest version of Gwibber which has an approved FFe bug 1156979
We are replacing gwibber-service with friends, libgwibber with libfriends, and unity-lens-gwibber with unity-lens-friends, all as part of the same FFe bug.

Security: No known security history.

Dependencies: friends, libfriends, unity-lens-friends, ubuntu-ui-toolkit, all in universe. ubuntu-ui-toolkit depends on qtdeclarative-opensource-src, qtjsbackend-opensource-src and qtxmlpatterns-opensource-src, also available in universe.

Maintenance: The maintainers of the Qt5 packages for ubuntu have been preparing the packages for debian as well, ensuring they are compatible. Hopefully, in the future well be able to just sync from debian. The ubuntu-ui-toolkit is maintained by the SDK team and accounts-qml-module is maintained by the online-accounts team, both with full time developers. The friends packages are maintained by the desktop team.

Ken VanDine (ken-vandine)
summary: - [MIR] qml-friends
+ [MIR] friends and friends
summary: - [MIR] friends and friends
+ [MIR] circle of friends
Revision history for this message
Michael Terry (mterry) wrote :

unity-lens-friends is approved. Looks fine, small clean package, respects the scope privacy setting. Would like to see a bug subscriber, but not a blocker.

Changed in unity-lens-friends (Ubuntu):
status: New → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote :

ubuntu-ui-toolkit is not quite approved. It has a dep-wait on powerpc. Can that be looked into?

Besides that, it looks fine. It's mostly example code and metapackages. Even has tests being run, which is nice. Could use a bug-subscriber, but not a blocker.

Changed in ubuntu-ui-toolkit (Ubuntu):
status: New → Incomplete
Revision history for this message
Michael Terry (mterry) wrote :

qtxmlpatterns-opensource-src has two problems. One is that it has a test suite, but it doesn't seem to be run during build. The other is that it rolls its own XML parser for some reason, so will need a security audit.

Would be nice to see a bug subscriber, but not a blocker. Assigning to security team for next step.

Changed in qtxmlpatterns-opensource-src (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: New → Incomplete
Revision history for this message
Ken VanDine (ken-vandine) wrote :

Upstream qtjsbackend doesn't support powerpc, so I updated the arch to only build on supported architectures.

Revision history for this message
Michael Terry (mterry) wrote :

ubuntu-ui-toolkit is approved now. Ken uploaded a new version that just drops powerpc support, since the jsbackend code doesn't support it anyway.

Changed in ubuntu-ui-toolkit (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote :

qml-friends is ftbfs on powerpc because of the same issue as the ubuntu-ui-toolkit. Please drop the powerpc arch.

Otherwise, it looks good. Even has a bug subcriber already. Would be nice to see some tests, but not a blocker.

Changed in qml-friends (Ubuntu):
status: New → Incomplete
Revision history for this message
Michael Terry (mterry) wrote :

qtjsbackend-opensource-src has the same two problems that xmlpatterns had. It has a test suite, but it doesn't seem to be run during build. And it needs a security audit (or at least, I want security team to tell me it doesn't need one -- javascript engines strike me as a security concern).

Would be nice to see a bug subscriber, but not a blocker. Assigning to security team for next step.

Changed in qtjsbackend-opensource-src (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: New → Incomplete
Revision history for this message
Ken VanDine (ken-vandine) wrote :

qml-friends has tests, just not in a branch that has landed in raring yet. That will land in the next daily release run. I also updated the arch.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in accounts-qml-module (Ubuntu):
status: New → Confirmed
Changed in friends (Ubuntu):
status: New → Confirmed
Changed in libfriends (Ubuntu):
status: New → Confirmed
Changed in qtdeclarative-opensource-src (Ubuntu):
status: New → Confirmed
Revision history for this message
Michael Terry (mterry) wrote :

libfriends is approved. Has symbols files and tests and a bug subscriber, oh my! I will notice that one of the authors is a mysterious "Ken VaDine". Would be good to see if he's still attached to the project.

There are some valac warnings during build, but they don't seem serious.

Changed in libfriends (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote :

friends is sorta OK. It has two build systems in it! (autools and setup.py) But it has nice tests for the python3 parts and seems well packaged. Has a bug subscriber.

However, there are four crash bugs that I can see in Ubuntu. Which is a lot for a package that only exists in raring. Can you give a sense for how bad the crashers are?

Changed in friends (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Michael Terry (mterry) wrote :

accounts-qml-module is approved. Could use a bug subscriber. Has tests, clean build and packaging. Needs a missing Pre-Depends line, but Ken is taking care of that.

Changed in accounts-qml-module (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote :

qtdeclarative-opensource-src looks mostly good. I'd like to see bug 1126208 (run tests) and bug 1125156 (bad .pc files) addressed first though. Could use a bug subscriber.

Changed in qtdeclarative-opensource-src (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Robert Bruce Park (robru) wrote :

Mike, just had a look at the bugs listed against friends. None of them are actually "crashers" per se, as our dbus-activation architecture allows the python to just restart itself as necessary (so these don't actually have any impact at all on the usability of frontends like gwibber).

Further, one of them I've already pushed a fix for, one I suspect we recently fixed by accident due to some unrelated changes, and the other one is a segfault, which indicates that it's a bug in gvariant rather than in my python code (although a workaround may be possible in python, so I'll need to investigate a bit more). So please don't block on those, should be good to go.

Revision history for this message
Michael Terry (mterry) wrote :

qml-friends now has tests and dropped powerpc. Approved.

Changed in friends (Ubuntu):
status: Incomplete → Fix Committed
Changed in qml-friends (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Ken VanDine (ken-vandine) wrote :

I experimented with enabling the tests in qtdeclarative5 using xvfb-run, but the tests run qmlscene which seems to require GLX.

Jamie Strandboge (jdstrand)
Changed in qtxmlpatterns-opensource-src (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand)
Changed in qtjsbackend-opensource-src (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

NAK. I stopped the security audit as soon as I saw that qtjsbackend-opensource-src contains an embedded copy of the Google V8 Javascript engine (ie, libv8). The version that is embedded is 3.11.4 from last May. libv8 in the archive already has no one maintaining it and its older than what's in qtjsbackend-opensource-src, so switching to it wouldn't help (it has 13 open CVEs against it). There are currently 5 open CVEs against the version that is in qtjsbackend-opensource-src right now:
 CVE-2012-5120
 CVE-2012-5128
 CVE-2012-5153
 CVE-2013-0836
 CVE-2013-2632

Furthermore, qtjsbackend-opensource-src's own README file has instructions on updating the embedded v8: "In the likely case of conflicts, follow the git instructions about continuing the patch application process after resolving the conflicts." This probably explains why libv8 hasn't been updated upstream. I also looked at fixes and they will require significant backporting.

Between the 5 open CVEs in qtjsbackend-opensource-src now, upstream's reluctance to keep it up to date, a lack of a suitable in archive alternative in libv8, the complexity of maintaining a Javascript engine without upstream support, and its security history, I believe qtjsbackend-opensource-src is unsupportable currently.

Changed in qtjsbackend-opensource-src (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Has lots of embedded copies in src/3rdparty, but the build doesn't show them as being build. It is a little scary though cause there is all kinds of sensitive stuff like webkit, freetype, libjpeg, libpng, etc. There is also a lot of code that isn't compiled in src/*. I didn't try, but it really only seems like only src/xmlpatterns is compiled. In light of that, xmlpatterns is actually already supported via qt4-x11. This is just a version bump so it doesn't need a full security audit.

That said, conditional ACK provided we try to clean up the source tarball to remove all that extra stuff so we don't accidentally end up with an embedded copy copied that gets compiled which later could have a security vulnerability.

Changed in qtxmlpatterns-opensource-src (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Ken VanDine (ken-vandine)
status: Incomplete → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, to be clear, regarding qtjsbackend-opensource-src, if this package is strategic, I'm open to it being added to the archive provided someone states that Canonical will invest resources in its maintenance or providing a plan on its maintenance.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

By "to the archive" I meant to say "Canonical-supported", sorry.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

To summarize more discussions on IRC, this is essentially the same problem as with webkit and the solution for V8 is likely the same as for webkit. We discussed this at vUDS in https://blueprints.launchpad.net/ubuntu/+spec/client-1303-webkit-maintenance and we need a long term maintenance story.

In the short term, if someone brought qtjsbackend-opensource-src up to date/fixed the CVEs and then committed to supporting v8 as embedded in qtjsbackend-opensource-src in the short term until the proper maintenance story is in place, then qtjsbackend-opensource-src could go to main.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Based on conversations with others, it seems like we may be able to compromise on qtjsbackend-opensource-src inclusion, provided some conditions are met. Marking as 'In Progress' for now. Others and/or I will comment later with more details.

Changed in qtjsbackend-opensource-src (Ubuntu):
status: Won't Fix → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Talked with various stakeholders and bzoltan is going to be looking at updating qtjsbackend in a manner that is supportable for 13.04.

Changed in qtjsbackend-opensource-src (Ubuntu):
assignee: nobody → Zoltan Balogh (bzoltan)
Revision history for this message
Adam Conrad (adconrad) wrote :
Download full text (5.2 KiB)

Override component to main
friends 0.1.3daily13.04.05-0ubuntu1 in raring: universe/misc -> main
friends 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
friends-dispatcher 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends-dispatcher 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends-dispatcher 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends-dispatcher 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
friends-facebook 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends-facebook 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends-facebook 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends-facebook 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
friends-flickr 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends-flickr 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends-flickr 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends-flickr 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
friends-foursquare 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends-foursquare 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends-foursquare 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends-foursquare 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
friends-identica 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends-identica 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends-identica 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends-identica 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
friends-twitter 0.1.3daily13.04.05-0ubuntu1 in raring amd64: universe/misc/extra -> main
friends-twitter 0.1.3daily13.04.05-0ubuntu1 in raring armhf: universe/misc/extra -> main
friends-twitter 0.1.3daily13.04.05-0ubuntu1 in raring i386: universe/misc/extra -> main
friends-twitter 0.1.3daily13.04.05-0ubuntu1 in raring powerpc: universe/misc/extra -> main
libfriends 0.1.2daily13.03.26-0ubuntu1 in raring: universe/libs -> main
gir1.2-friends-0.1 0.1.2daily13.03.26-0ubuntu1 in raring amd64: universe/libs/extra -> main
gir1.2-friends-0.1 0.1.2daily13.03.26-0ubuntu1 in raring armhf: universe/libs/extra -> main
gir1.2-friends-0.1 0.1.2daily13.03.26-0ubuntu1 in raring i386: universe/libs/extra -> main
gir1.2-friends-0.1 0.1.2daily13.03.26-0ubuntu1 in raring powerpc: universe/libs/extra -> main
gir1.2-friends-gtk-0.1 0.1.2daily13.03.26-0ubuntu1 in raring amd64: universe/libs/extra -> main
gir1.2-friends-gtk-0.1 0.1.2daily13.03.26-0ubuntu1 in raring armhf: univ...

Read more...

Changed in unity-lens-friends (Ubuntu):
status: Fix Committed → Fix Released
Changed in friends (Ubuntu):
status: Fix Committed → Fix Released
Changed in libfriends (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

After investigations and discussions with the various stakeholders (thanks Chris Coulson and Zoltan Balogh :), it was found that qtjsbackend is *only* used by QML. QML applications are written in javascript and therefore a javascript engine is needed to execute QML applications. V8 is the current choice of upstream and V8 is used to execute QML applications. QtWebKit's JavaScriptCore (JSC) engine is used by QtWebKit and any webkit widgets in QML applications, not V8. qtjsbackend is not exposed to unfiltered web content and therefore qtjsbackend can be promoted as is and we do not need a separate maintenance story for it. ACK

 (note: while a developer could theoretically write a QML application to subvert V8, it doesn't break a privilege boundary-- that developer could more easily write the app to do what he wants directly).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Please feel free to adjust any Depends on qtjsbackend for promotion to main. I will adjust the MIR processes to watch out for anything that tries to use qtjsbackend directly.

Changed in qtjsbackend-opensource-src (Ubuntu):
assignee: Zoltan Balogh (bzoltan) → nobody
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note in comment #21 it was qtxmlpatterns-opensource-src that I gave a conditional ACK.

Revision history for this message
Ken VanDine (ken-vandine) wrote :

The latest qtxmlpatterns-opensource-src source doesn't have src/3rdparty, updated status based on the previous conditional ACK.

Changed in qtxmlpatterns-opensource-src (Ubuntu):
assignee: Ken VanDine (ken-vandine) → nobody
status: In Progress → Fix Committed
Revision history for this message
Michael Terry (mterry) wrote :

Regarding qtdeclarative, I've talked to Ken. He says he's spent a couple days on figuring out the tests, and it is not going to be easy to enable them. Even partially enable them.

Since qtdeclarative is necessary for several things about to land and the difficulty of fixing the tests, I'll approve for now. I've targeted bug 1126208 for 13.08 and assigned to the desktop-team.

Since qtdeclarative is so central to a lot of work we're doing for 13.10, it would really be super nice if those tests were even partially enabled. I think it's worth more time to investigate.

Changed in qtdeclarative-opensource-src (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Moved qtxmlpatterns-opensource-src to main.

Changed in qtxmlpatterns-opensource-src (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

Moved qtdeclarative-opensource-src and qtjsbackend-opensource-src to main.

Changed in qtdeclarative-opensource-src (Ubuntu):
status: Fix Committed → Fix Released
Changed in qtjsbackend-opensource-src (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Michael Terry (mterry) wrote :

BTW, when ubuntu-ui-toolkit is promoted, we can just keep ubuntu-ui-toolkit-examples in universe. It pulls in qtmultimedia, which would be easier to keep in universe than approve.

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

ubuntu-ui-toolkit: look at https://bugs.launchpad.net/ubuntu/+source/unity-action-api/+bug/1206268

Changed in ubuntu-ui-toolkit (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
accounts-qml-module 0.4+14.04.20131127-0ubuntu1 in trusty: universe/libs -> main
accounts-qml-module-doc 0.4+14.04.20131127-0ubuntu1 in trusty amd64: universe/doc/optional/100% -> main
accounts-qml-module-doc 0.4+14.04.20131127-0ubuntu1 in trusty arm64: universe/doc/optional/100% -> main
accounts-qml-module-doc 0.4+14.04.20131127-0ubuntu1 in trusty armhf: universe/doc/optional/100% -> main
accounts-qml-module-doc 0.4+14.04.20131127-0ubuntu1 in trusty i386: universe/doc/optional/100% -> main
accounts-qml-module-doc 0.4+14.04.20131127-0ubuntu1 in trusty powerpc: universe/doc/optional/100% -> main
accounts-qml-module-doc 0.4+14.04.20131127-0ubuntu1 in trusty ppc64el: universe/doc/optional/100% -> main
qtdeclarative5-accounts-plugin 0.4+14.04.20131127-0ubuntu1 in trusty amd64: universe/libs/optional/100% -> main
qtdeclarative5-accounts-plugin 0.4+14.04.20131127-0ubuntu1 in trusty armhf: universe/libs/optional/100% -> main
qtdeclarative5-accounts-plugin 0.4+14.04.20131127-0ubuntu1 in trusty i386: universe/libs/optional/100% -> main
10 publications overridden.

Changed in accounts-qml-module (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jeremy Bícha (jbicha) wrote :

closing old bug task

Changed in qml-friends (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.