[MIR] google-guest-agent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gce-compute-image-packages (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
google-guest-agent (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
Google-guest-agent is in universe and only depends on packages provided in main or by the source package itself. The package is new in Groovy, but it replaces part of old gce-compute-
[Rationale]
This package is included on the GCE images and the Ubuntu Foundations team has been supporting it as such. We'd like to get it included in main as that's the right thing to do.
[Security]
This is a new package, and as such has no security history to speak of. Since it will be installed on every Ubuntu system in GCE and performs system configuration and network communication as well a security review is warranted thus I'm subscribing the Security Team
[Quality assurance]
There are currently 0 open bug reports (excluding this one) about the package and the Ubuntu Foundations team (foundations-bugs) is subscribed to bugs about the package.
The package build runs the build-time testsuite.
Packaging is minimal. There is an ongoing discussion about configuration file handling started in https:/
[Dependencies]
All binary dependencies are from main or come from the source package itself.
Per the Golang policy exception Go build dependencies must also be in main.
Golang build dependency chain with MIR bugs:
google-guest-agent:
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-
golang-google-api
golang-
golang-
golang-
golang-google-grpc
golang-
golang-goprotobuf (main)
golang-
[Standards compliance]
Conforms to Debian Policy 4.5.0
[Maintenance]
The Ubuntu Foundations Team will continue to maintain the package as they have been doing.
[Background information]
The split of the old gce-compute-
Related branches
- Ubuntu Core Development Team: Pending requested
-
Diff: 12 lines (+1/-0)1 file modifiedsupported-cloud (+1/-0)
description: | updated |
Changed in google-guest-agent (Ubuntu): | |
assignee: | nobody → Didier Roche (didrocks) |
Changed in google-guest-agent (Ubuntu): | |
assignee: | Didier Roche (didrocks) → nobody |
tags: | added: id-5e458d59714e8202f34cf300 |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in gce-compute-image-packages (Ubuntu): | |
status: | New → Invalid |
[Summary]
- All dependencies should be filed as MIR (and their dependencies).
- Would be nice to have the services more confined via systemd.
- Once done and dependencies are ACKed, this is fine by me, but will need a security review.
[Duplication]
OK:
Nothing to add over the top request as it’s a code split.
[Dependencies] github- go-ini- ini-dev binary and source package is in universe github- golang- groupcache- dev binary and source package is in universe github- kardianos- service- dev binary and source package is in universe github- tarm-serial- dev binary and source package is in universe github- gcp-guest- logging- go-dev does not exist (pure virtual?) google- cloud-dev binary and source package is in universe google- grpc-dev binary and source package is in universe goprotobuf- dev binary and source package is in universe
TO BE FIXED:
Most of build-deps are in universe:
* golang-
* golang-
* golang-
* golang-
* golang-
* golang-
* golang-
* golang-
Contrary to other languages, those needs to be in main even if they are build dependencies. Indeed, the static linking nature of Go will make the code embedeed and executed, and so, the main package rules apply for them.
I only check one level deep, you should attach to this MIR any dependencies of those dependencies ofc.
[Embedded sources and static linking]
OK:
- no embedded source present
- staticly link Go packages as the nature of the coede.
[Security]
OK:
- no CVEs, but really fresh new package.
- does not use webkit2,2
- does not use lib*v9 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not open a port directly (but will communicate through opened port via sane and zeroconf subcription)
Problems:
- multiple services running as root: can they be confined via systemd directives? Needs a security review
- comunicate with external services: Needs a security review
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time (good size)
- test suite fails will fail the build upon error.
- no translation on CLI tool (but this is only a debugging discover command, common to not have them here). Messages returned to Sane are translated though.
- not a python package, no extra constraints to consider in that regard
- use of dh_golang
- Team subscription is OK
TO FIX:
- debian/copyright is wrong: copyright holder should be Copyright: 2017-2020 Google Inc from source headers
[Packaging red flags]
OK:
- Ubuntu only package
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Ubuntu update history is good, but short
- Upstream is active, but without release. Note that d/watch is pointing correctly to fetch a version. However, the project is seeing fewer changes for the past months (only small fixes), so the lack of release isn’t much of an issue for stable code.
- promoting this does not seem to cause issues for MOTUs that so far maintained the package
- no lintian issue
- d/rules is clean and minimal
- d/control standard f...