[MIR] thin-provisioning-tools

Thanks for the thorough pre-check and report Andreas.

Here my MIR review:

[Summary]
The package seems reasonable maintained and also ok in general.
The only security exposure that came up is that it is read/writing data formats.
That alone would not yet make it very security sensitive.
But the fact that this is - if at all - used is used in more enterpris'y context
makes that data write/read important.
I think the general rule applies here to be on the side of caution - therefore
I'd ask for a security review of it.

While that is going on:
1. please sort out the future Team subscriber as well.
   Even if subscribing late, please state here who it will be once known.

2. Personally I don't need d/watch files too much, but the process requires it.
   Please could you check to get a d/watch file added against the github
   project?

--- Detail ---

[Duplication]
There is no duplicate function in the Archive

[Embedded sources and static linking]
OK are:
- no embedded sources
- no static linking
- no golang

[Security]
OK are:
- no history of CVEs
- does not use webkit1,2
- does not use lib*v8 directly
- does not processes arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not run a daemon as root
- does not open a port

Although it
- does parse data formats (mostly read/write on disk metadata)

[Common blockers]
OK are:
- no FTBFS currently
- test suite runs at build time
- no python code to check

Although it:
- does not yet have a team bug subscriber
  Before this can be completed someone has to step up, given that LVM2 is
  Foundations and the last uploads/modifications as well I assume they will
  take it.
  But that has to happen before promotion.

[Packaging red flags]
OK are:
- Ubuntu has a Delta for a Ubuntu specific (as needed) build error (ok)
- no libraries shipped
- update history is nothe most active one but seems ok
  - Debian maintenance is a bit unclear (see description), but active enough
- no MOTU only case
- Lintian warnings are a lot (cleanup would be nice), but no critical ones
- d/rules is rather clean
- not using Built-Using
- no golang

Although it:
- does not have a watch file
- the current release is not yet packaged, but that is just 3 weeks old
  (ok for now)

[Upstream red flags]
- a few "may be used uninitialized" and "suggest explicit braces" warnign,
  but no error
 use of malloc/sprintf seems ok
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user "nobody"
- no setuid
- no known critical bugs
  - there is one data corruption upstream, but badly filed and lack of info
- no Dependency on webkit, qtwebkit, seed or libgoa-*
- no Embedded source copies
- not part of the scope for the Unity Dash and its privacy settings

PR for the watch file on salsa: https://salsa.debian.org/lvm-team/thin-provisioning-tools/merge_requests/1

Salsa is a bit behind from debian even, as the last upload was an NMU FTBFS fix.

ubuntu-server is now subscribed to bugs

I reviewed thin-provisioning-tools 0.7.6-2.1ubuntu1 as checked
into eoan. This shouldn't be considered a full audit but rather a
quick gauge of maintainability.

thin-provisioning-tools is a set of tools for managing meta-data for
the Linux kernel's device-mapper thin target. It is not entirely clear
what the threat model is here, in that this is a series of command line
tools to manage thin dm volumes, and is expected to be run by an
administrator (no setuid, no calls to sudo). Orchestration tools might
wrap thin-provisioning-tools would want to take care to sanitize input
that is eventually passed on to these tools, but that is out of the
scope of this audit.

- CVE History: No CVEs found.
- thin-provisioning-tools buiild depends on libaio-dev, libexpat1-dev,
  and libboost-dev
  - libexpat1 is both good and bad, as it has had a less than
    stellar security history, but is better than rolling one's own
    XML implementation.
- pre/post inst/rm scripts?
  - The postinst triggers update-initramfs. There is no postrm,
    so does not do this, but probably should.
- No init scripts or systemd units.
- No dbus services.
- No setuid binaries.
- thin-provisioning-tools provides one primary binary
  /usr/sbin/pdata_tools that is invoked in different ways by symlinked
  entries in /usr/sbin. Man pages are provided for every symlink.
- No sudo fragments.
- No udev rules.
- Unit tests are run during the build. It's unclear how much coverage
  this provides, but it's a non-trivial amount.
- No autopkgtests are performed. Functional tests are provided in the
  upstream, but not used by autopkgtests. This is likely due to
  dependencies on chezscheme (in archive) and thunderchez (not
  packaged); the latter could possibly be vendor packaged, as the
  functional tests run successfully if they are available
  (with CHEZSCHEMELIBDIRS="PATH/TO/thunderchez/:$PWD/functional-tests" make test)
  These tests may or may not be able to run at build time, but for sure
  in an autopkgtest environment. Unclear how much coverage is provided,
  but they do at least minimally appear to exercise all of the command
  variations.
- No cron jobs.
- Build logs:
  - Some dh provided configure options ignored
  - 3 compiler warnings issued, 1 potential uninitialized value, and two
    warnings about explicitly using braces to avoid ambiguous ‘else’
    situations. Mostly clean build.
  - No lintian failures, no significant lintian warnings, mostly just
    indications of lack of packager(s) attention.
- Does not appear to spawn external processes (except for debugging
  and in testsuites).
- Memory management is generally performed okay. Errors values returned
  by copying/writing operations are not always checked.
- For file handling, generally, the tools take the dm device to
  operate on as a command line argument.
  - Configuration information for import is in an XML format.
  - One possible issue is that the file_utils::open_file() which
    underlies the block file open/creation interface defaults to
    mode 0666 without any way to override it.
- Generally uses cout for logging output errors.
- No use of environment variables.
- Only privileged function used is ioctl,...

This is ready and IMHO no FF violation.
MP is at https://code.launchpad.net/~paelzer/ubuntu/+source/lvm2/+git/lvm2/+merge/372393

Ok, after first migrating to -release without sshowing up at all it is now showing up in component mismatches correctly.
Since the MIR (here) is approved I'm just waiting for an AA to resolve that.

Override component to main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan: universe/misc -> main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan amd64: universe/admin/optional/100% -> main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan arm64: universe/admin/optional/100% -> main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan armhf: universe/admin/optional/100% -> main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan i386: universe/admin/optional/100% -> main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan ppc64el: universe/admin/optional/100% -> main
thin-provisioning-tools 0.7.6-2.1ubuntu1 in eoan s390x: universe/admin/optional/100% -> main
7 publications overridden.