[MIR] thin-provisioning-tools
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
thin-provisioning-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package is available in eoan universe (https:/
[Rationale]
The package is useful as a Recommends of lvm2, which is in main. See bug #1657646, where confusion arises because it's possible to create thin pools without this package, but not activate them because a binary called thin_check is needed, and that is only available in thin-provisioni
[Security]
There are no CVE hits on mitre.
Query for "site:www.
Ubuntu CVE tracker is empty. I also searched for "lvm" in main and universe.
No suid executables.
No services are installed.
[Quality assurance]
No debconf questions.
LVM2 tools use the new thin provisioning tools without further configuration.
There are no open Ubuntu bugs.
One very old (2014) open bug in debian: https:/
Upstream URL seems incorrect in d/control:
https:/
New upstream seems to be https:/
I verified the release tarball from Debian and its hash matches the tarball downloaded from the above github repo.
Upstream issues: https:/
Upstream PRs: https:/
Upstream release cadence: https:/
I don't see critical bugs opened upstream or in debian.
Debian package tracker: https:/
- packaging could use some love and be updated. Standards is old, no manpage for the specific tool that is provided, url in d/control should be updated
- updates in debian seem frequent enough. Debian just doesn't have the latest 0.8 tree yet, but is up-to-date in the 0.7 one.
Test suite is run at package build time, and there are no DEP8 tests.
There is no d/watch file.
Lintian output confirms the packaging could use some love:
$ lintian -I --pedantic
P: thin-provisioni
P: thin-provisioni
W: thin-provisioni
W: thin-provisioni
P: thin-provisioni
P: thin-provisioni
W: thin-provisioni
I: thin-provisioni
I: thin-provisioni
W: thin-provisioni
W: thin-provisioni
W: thin-provisioni
W: thin-provisioni
I: thin-provisioni
I: thin-provisioni
I: thin-provisioni
I: thin-provisioni
W: thin-provisioni
There are two build-dependencies from Universe, but they are used only for the test suite:
libgtest-dev,
google-mock,
I confirmed this by rebuilding the package with DEB_BUILD_
No python2 or other deprecated build-deps.
[UI standards]
There is no i18n support.
[Dependencies]
All runtime dependencies are in main. There are build dependencies that are in universe, but these are used for the test suite only.
[Standards compliance]
d/rules is very simple
The packaging overall could use some modernization, see lintian output in an earlier section. Not too hard to update (watch file, d/control updates, standards-version).
File placement in terms of FHS is fine.
[Maintenance]
TBD who will maintain this package.
[Background information]
None at this time.
description: | updated |
Changed in thin-provisioning-tools (Ubuntu): | |
assignee: | Andreas Hasenack (ahasenack) → Christian Ehrhardt (paelzer) |
tags: | added: id-5ccc50675baa0c05bc322dce |
Changed in thin-provisioning-tools (Ubuntu): | |
status: | New → In Progress |
Thanks for the thorough pre-check and report Andreas.
Here my MIR review:
[Summary]
The package seems reasonable maintained and also ok in general.
The only security exposure that came up is that it is read/writing data formats.
That alone would not yet make it very security sensitive.
But the fact that this is - if at all - used is used in more enterpris'y context
makes that data write/read important.
I think the general rule applies here to be on the side of caution - therefore
I'd ask for a security review of it.
While that is going on:
1. please sort out the future Team subscriber as well.
Even if subscribing late, please state here who it will be once known.
2. Personally I don't need d/watch files too much, but the process requires it.
Please could you check to get a d/watch file added against the github
project?
--- Detail ---
[Duplication]
There is no duplicate function in the Archive
[Embedded sources and static linking]
OK are:
- no embedded sources
- no static linking
- no golang
[Security]
OK are:
- no history of CVEs
- does not use webkit1,2
- does not use lib*v8 directly
- does not processes arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not run a daemon as root
- does not open a port
Although it
- does parse data formats (mostly read/write on disk metadata)
[Common blockers]
OK are:
- no FTBFS currently
- test suite runs at build time
- no python code to check
Although it: modifications as well I assume they will
- does not yet have a team bug subscriber
Before this can be completed someone has to step up, given that LVM2 is
Foundations and the last uploads/
take it.
But that has to happen before promotion.
[Packaging red flags]
OK are:
- Ubuntu has a Delta for a Ubuntu specific (as needed) build error (ok)
- no libraries shipped
- update history is nothe most active one but seems ok
- Debian maintenance is a bit unclear (see description), but active enough
- no MOTU only case
- Lintian warnings are a lot (cleanup would be nice), but no critical ones
- d/rules is rather clean
- not using Built-Using
- no golang
Although it:
- does not have a watch file
- the current release is not yet packaged, but that is just 3 weeks old
(ok for now)
[Upstream red flags]
- a few "may be used uninitialized" and "suggest explicit braces" warnign,
but no error
use of malloc/sprintf seems ok
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user "nobody"
- no setuid
- no known critical bugs
- there is one data corruption upstream, but badly filed and lack of info
- no Dependency on webkit, qtwebkit, seed or libgoa-*
- no Embedded source copies
- not part of the scope for the Unity Dash and its privacy settings