Ubuntu
highway package

[MIR] highway

Bug #2070807 reported by Jeremy Bícha on 2024-06-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	highway (Ubuntu)	New	Undecided	Ubuntu Security Team

Bug Description

[Availability]
The package highway is already in Ubuntu universe.
The package highway build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures
Link to package https://launchpad.net/ubuntu/+source/highway

[Rationale]
- The package highway is required in Ubuntu main as a build and runtime dependency of jpeg-xl (LP: #2070882)
- The package highway will generally be useful for a large part of our user base
- The binary package libhwy1t64 needs to be in main to achieve JPEG XL support

- It would be great and useful to community/processes to have the package highway in Ubuntu main, but there is no definitive deadline.

[Security]
- No CVEs/security issues in this software in the past
- https://ubuntu.com/security/cve?package=highway
- https://security-tracker.debian.org/tracker/source-package/highway

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages do not install services, timers or recurring jobs
- Packages do not open privileged ports (ports < 1024).
- Packages do not expose any external endpoints
- Packages do not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/highway/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=highway
- Upstream's bug tracker https://github.com/google/highway/issues

- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log
https://launchpad.net/ubuntu/+source/highway/1.2.0-3ubuntu1

- The package runs an autopkgtest, and is currently passing on
this TBD list of architectures, link to test logs

https://autopkgtest.ubuntu.com/packages/highway

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field

- Lintian overrides are present, but ok because this was affected by the t64 transition

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions

- Packaging and build is easy, link to debian/rules
https://salsa.debian.org/debian-phototools-team/highway/-/blob/master/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation or .desktop file)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Ubuntu Desktop (~desktop-packages) and I have their acknowledgement for that commitment

- This does not use static builds
- This does not use vendored code
- This package is not rust based

- The package has been built within the last 3 months in the archive
- Build link on launchpad:
https://launchpad.net/ubuntu/+source/highway/1.2.0-3ubuntu1

[Background information]
- The Package description explains the package well
- Upstream Name is highway
- Link to upstream project https://github.com/google/highway

See original description

Tags:

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2024-06-26:

Lintian output:

I: libhwy1t64: symbols-file-missing-build-depends-package-field libhwy.so.1 [symbols]
I: libhwy1t64: symbols-file-missing-build-depends-package-field libhwy_contrib.so.1 [symbols]
I: libhwy1t64: symbols-file-missing-build-depends-package-field libhwy_test.so.1 [symbols]
P: highway source: package-does-not-install-examples [hwy/examples/]
P: highway source: package-uses-old-debhelper-compat-version 11
P: highway source: uses-debhelper-compat-file [debian/compat]
O: libhwy1t64: package-name-doesnt-match-sonames libhwy-contrib1 libhwy-test1 libhwy1

Forwarded fixes to Debian:
https://salsa.debian.org/debian-phototools-team/highway/-/merge_requests/2
https://salsa.debian.org/debian-phototools-team/highway/-/merge_requests/3

Jeremy Bícha (jbicha) on 2024-06-26

Changed in highway (Ubuntu):
status:	New → Incomplete
description:	updated

Jeremy Bícha (jbicha) on 2024-06-26

description:

updated

Jeremy Bícha (jbicha) on 2024-06-27

description:

updated

Jeremy Bícha (jbicha) on 2024-06-27

description:	updated
description:	updated

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2024-07-02:

I'm setting to Incomplete because I haven't added a basic autopkgtest here yet.

Changed in highway (Ubuntu):
assignee:	nobody → Jeremy Bícha (jbicha)
description:	updated

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2024-07-16:

Nathan added an autopkgtest today. We'll update the bug description once we confirm whether the autopkgtests are passing on Ubuntu architecture.

Changed in highway (Ubuntu):
status:	Incomplete → New
assignee:	Jeremy Bícha (jbicha) → nobody
description:	updated

Christian Ehrhardt  (paelzer) on 2024-07-16

Changed in highway (Ubuntu):
assignee:	nobody → Lukas Märdian (slyon)

Revision history for this message

Lukas Märdian (slyon) wrote on 2024-07-23:

Download full text (4.5 KiB)

Review for Source Package: highway

[Summary]
highway (libhwy) is a SIMD optimization library, implementing algorithms for
efficient, parallel operations in multiple domains, such as image processing,
compression, video analysis, sorting, cryptography... It is well maintained and
well tested. A primary usecase is its usage in jpeg-xl (libjxl).

MIR team ACK

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libhwy1t64
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 - This looks good overall on security topics, but it can be used for
acceleration of cryptographic operations, so I rather like to have the
security team skim through it.

Required TODOs: <None>

Recommended TODOs:
#1 - The package should get a team bug subscriber before being promoted
#2 - consider improving the .symbols file, "symbols-file-contains-debian-revision"
     => see "Packaging red flags" below
#3 - Please fix the autopkgtest on armhf (but I consider this normal
     proposed-migration, i.e. ongoing maintenance work by the owning team,
     therefore non-blocking for the MIR)

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems:
- Some additional software in hwy/contrib/, but seems to be part of the upstream
project, e.g. see: https://opensource.googleblog.com/2022/06/Vectorized%20and%20performance%20portable%20Quicksort.html

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats from an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- makes appropriate use of established risk mitigation features

Problems:
- can deal with cryptography SIMD acceleration

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon er...

Review for Source Package: highway

MIR team ACK

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libhwy1t64
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 - This looks good overall on security topics, but it can be used for
     acceleration of cryptographic operations, so I rather like to have the
     security team skim through it.

Required TODOs: <None>

Problems: None

Problems:
- Some additional software in hwy/contrib/, but seems to be part of the upstream
  project, e.g. see: https://opensource.googleblog.com/2022/06/Vectorized%20and%20performance%20portable%20Quicksort.html

Problems:
- can deal with cryptography SIMD acceleration

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- autopkgtest failure on armhf

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control (Closes: #1076436)
- symbols tracking is in place.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems:
- lintian warning about https://udd.debian.org/lintian-tag.cgi?tag=symbols-file-contains-debian-revision
  => consider improving the .symbols file, https://wiki.debian.org/UsingSymbolsFiles#C.2B-.2B-_libraries

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None

Changed in highway (Ubuntu):
assignee:	Lukas Märdian (slyon) → Ubuntu Security Team (ubuntu-security)

Seth Arnold (seth-arnold) on 2024-07-23

tags:

added: sec-4768

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuhighway package

[MIR] highway

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
highway package