[MIR] libdeflate

Settings as triaged for libtiff so it's picked up by the proposed migration report

[Summary]
Some required TODO and checks to be done. If all those are addressed (mostly investigation), it would be a +1 from the MIR team POV.
However, as this library is parsing data, I think a security review would be needed once all the points below are solved.

Notes:
Required TODOs:
- Check if libtiff can use another compresssion library and if so, if there are strong intents to use deflate instead of that one.
- Investigate the patch disabling test issue (more info on the dedicated section below)
Recommended TODOs:
- Analyse the warnings during build situation (see dedicated section as well)

[Duplication]
libdeflate is expected to be a more efficient 9z compression library. I guess there is no way to use our existing compression library in libtiff, but can you ensure it?

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
 does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats for compressing/decompressing them. Will need a security review.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a simple test that runs as autopkgtest
- The package will have a team bug subscriber
- no translation present, but none needed for this case?
- not a python/go package, no extra constraints to consider in that regard

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is quite complex but rather clean
- Does not have Built-Using

Problems:
- one distro patch is named "Simplify tests" while its only effect is removing a test. The name is misleading. The comment is also misleading "Don't run m32 tests on x86_64" while it’s removing it for all supported archs, without a rationale why disabling it.

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Problems:
- quite a few warning during the build "profile count data file not found [-Wmissing-profile]". Those warning could potentially spread to all binaries using this build. Can you check with upstream about those?

Checking upstream and alternative solutions they don't seem to have any easy way to use instead something already in main, seeing the performance improvement it's probably worth to bring the new option in main despite that fact though.

The confusing patch issue has been reported to Debian now https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982383

The profile warning has been reported as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982384

[16:42] <cpaelzer> didrocks: it seems to wait for some actions that you identified on the review
[16:42] <cpaelzer> didrocks: should it maybe set to assigned to someone that is supposed to do them
[16:42] <didrocks> yes, I’m folllowing up on that one once the actions from seb are done

Ok, I would like to see the security review being done while seb is fetching some info on the disabled tests (investigating why they are disabled is a requirement before the MIR to be offically ACK).
The rest has been answered/fullfilled.

I reviewed libdeflate 1.7-1 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

libdeflate is a compression/decompression library for the Deflate
compression algorithm, along with associated command line tools. It is
written in C and does not provide any other language bindings.

- There does not appear to be any vulnerability history for libdeflate.
- The only odd build dependency is that it includes zlib1g-dev, but it
  appears to use this for test comparisons.
- No pre/post inst/rm scripts.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- binaries in PATH:
  libdeflate-tools adds libdeflate-g{,un}zip to path.
- No sudo fragments.
- No polkit files.
- No udev rules.
- A set of unit tests that exercise aspects of the library interface
  are included, as well options for running under valgrind plus afl
  fuzzing support. The unit tests are run during the package build.
  There is one autopkgtest, a very simple limited smoke test.
- No cron jobs.
- Build logs:
  - Several "profile count data file not found [-Wmissing-profile]"
    compiler warnings as mentioned in the primary MIR review.

- No apparent processes spawned.
- Memory management is okay.
- For file I/O, the library expects users of the library to handle this.
  The wrapper tools provided look okay, containing file handling in
  a pair of helper functions.
- For logging, as a shared library it does not do any logging itself,
  again relying on calling programs to log. The logging by programs is
  to stderr and looks fine.
- The only environment variable usage is in test situations.
- The only use of privileged functions is by the tools to restore
  permissions/ownership on the newly compressed or uncompressed file.
- No use of cryptography / random number sources (srand() is used for
  test data generation).
- No use of temp files.
- No use of networking.
- No use of WebKit,
- No use of PolicyKit,

- No cppcheck findings, the only coverity issue in non-test code was
  that the return value for posix_fadvise() was not checked in the
  tools, not a severe issue.

Security team ACK for promoting libdeflate to main.

Reassigning to seb128 then while he is fetching the last required info before promoting it.

 ./change-override -c main -S power-profiles-daemon
Override component to main
power-profiles-daemon 0.1-1~fakesync2 in hirsute: universe/admin -> main
power-profiles-daemon 0.1-1~fakesync2 in hirsute amd64: universe/admin/optional/100% -> main
power-profiles-daemon 0.1-1~fakesync2 in hirsute arm64: universe/admin/optional/100% -> main
power-profiles-daemon 0.1-1~fakesync2 in hirsute armhf: universe/admin/optional/100% -> main
power-profiles-daemon 0.1-1~fakesync2 in hirsute ppc64el: universe/admin/optional/100% -> main
power-profiles-daemon 0.1-1~fakesync2 in hirsute riscv64: universe/admin/optional/100% -> main
power-profiles-daemon 0.1-1~fakesync2 in hirsute s390x: universe/admin/optional/100% -> main
Override [y|N]? y
7 publications overridden.

sorry, wrong tab…

since the Debian maintainer isn't responding I did upload a delta to Ubuntu to remove the controversial patch

LGTM, thanks for working on this! Acking the MIR then.

no bug subscriber yet ...

desktop subscribed now

$ ./change-override -c main -S libdeflate
Override component to main
libdeflate 1.7-1ubuntu1 in hirsute: universe/misc -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute amd64: universe/libdevel/optional/100% -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute arm64: universe/libdevel/optional/100% -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute armhf: universe/libdevel/optional/100% -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute i386: universe/libdevel/optional/100% -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute ppc64el: universe/libdevel/optional/100% -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute riscv64: universe/libdevel/optional/100% -> main
libdeflate-dev 1.7-1ubuntu1 in hirsute s390x: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute amd64: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute arm64: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute armhf: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute i386: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute ppc64el: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute riscv64: universe/libdevel/optional/100% -> main
libdeflate-tools 1.7-1ubuntu1 in hirsute s390x: universe/libdevel/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute amd64: universe/libs/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute arm64: universe/libs/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute armhf: universe/libs/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute i386: universe/libs/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute ppc64el: universe/libs/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute riscv64: universe/libs/optional/100% -> main
libdeflate0 1.7-1ubuntu1 in hirsute s390x: universe/libs/optional/100% -> main
Override [y|N]? y
22 publications overridden.