[MIR] plocate

Review for Package: plocate

[Summary]
MIR team ACK, given the Required TODO is fixed, as it seems like a potential big issue to me.

Notes:
Required TODOs:
- The source package can include binary content in obj-x86_64-linux-gnu/. Those builds artefacts are included .exe and .o files. They are not present by default on the source package, but nothing prevents really to accidentally include them. I think it’s necessary to fix this and ensure we don’t embeed them in our source files, as those are arch-dependant, binary code results which would potentially override the one during the build due to a more recent timestamp.

[Duplication]
This is a replacement of mlocate in main which provided the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
  and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

[Common blockers]
OK:
- does not FTBFS currently
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems:
- does not have a test suite that runs at build time. However, some autopkgtests are presents which covers then it.

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking not applicable for this kind of code.
- d/watch is not present, but not needed
- Upstream update history is good (upstream is debian)
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- The source package can include binary content in obj-x86_64-linux-gnu/. Those builds artefacts are included .exe and .o files. They are not present by default on the source package, but nothing prevents really to accidentally include them. I think it’s necessary to fix this and ensure we don’t embeed them in our source files, as those are arch-dependant, binary code results which would potentially override the one during the build due to a more recent timestamp.

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or...

I have created a bug [1], and provided a patch, to address the TODO regarding binary content in obj-x86_64-linux-gnu/.

[1] https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1961266

The Required TODO listed has been fixed in proposed; the bug is still open because the package won't migrate until the package has been promoted to main, to fix the component mismatch.

I'm therefore marking this bug 'fix committed' per my understanding of the MIR team's intent, to unblock that process.

Override component to main
plocate 1.1.15-1ubuntu2 in jammy: universe/misc -> main
mlocate 1.1.15-1ubuntu2 in jammy amd64: main/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy arm64: main/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy armhf: main/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy i386: main/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy ppc64el: main/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy riscv64: main/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy s390x: main/utils/optional/100% -> main
plocate 1.1.15-1ubuntu2 in jammy amd64: universe/utils/optional/100% -> main
plocate 1.1.15-1ubuntu2 in jammy arm64: universe/utils/optional/100% -> main
plocate 1.1.15-1ubuntu2 in jammy armhf: universe/utils/optional/100% -> main
plocate 1.1.15-1ubuntu2 in jammy ppc64el: universe/utils/optional/100% -> main
plocate 1.1.15-1ubuntu2 in jammy riscv64: universe/utils/optional/100% -> main
plocate 1.1.15-1ubuntu2 in jammy s390x: universe/utils/optional/100% -> main
mlocate 1.1.15-1ubuntu2 in jammy amd64 remained the same
mlocate 1.1.15-1ubuntu2 in jammy arm64 remained the same
mlocate 1.1.15-1ubuntu2 in jammy armhf remained the same
mlocate 1.1.15-1ubuntu2 in jammy i386 remained the same
mlocate 1.1.15-1ubuntu2 in jammy ppc64el remained the same
mlocate 1.1.15-1ubuntu2 in jammy riscv64 remained the same
mlocate 1.1.15-1ubuntu2 in jammy s390x remained the same
7 publications overridden; 7 publications remained the same.

Uptream informed us that the initial MIR description wrongly that there are no sgid binaries, but /usr/bin/plocate is sgid plocate.

I think this warrant then a security review.

@enr0n: do you need for this LTS release? If so, please target it to mention that to the security team.
If the security team doesn’t have the bandwidth to deal with it before beta, we will then need to revert this to the previous state, being mlocate.

Yes, we should have this for the LTS.

I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

plocate is a locate implementation based on posting lists and io_uring,
intended as a drop-in replacement for mlocate.

- No CVE History.
- Build-Depends on liburing and libzstd
- The pre/post inst/rm scripts adds a plocate group, sets up
  alternatives to place it as the locate, and sets up the systemd timer.
  Things are cleaned up in the pre/post-rm scripts.
- No init scripts.
- One systemd timer and service to run updatedb
- No dbus services
- No setuid binaries, plocate binary is setgid.
- binaries in PATH: plocate, plocate-build, and updatedb.plocate
- No sudo fragments
- No polkit files
- No udev rules
- test
  - no unit or other build-time tests
  - autopkgtests: a basic test plus a more complex test that tests
    visibility across differing users.
- One cron job that exits immediately because systemd timers are available.
- No build warnings or errors, lintian with one minor warning:
  command-with-path-in-maintainer-script

- No processes spawned.
- Memory management is okay, generally uses C++ style
  allocations / deallocations.
- File IO is mostly performed on static names or parsed out of
  /proc/self/mountinfo. The exception is the db argument to plocate;
  however, if alternate db files are passed, a child process that drops
  privilege is forked to search the passed db file.
- Logging is mostly done by perror, and is done safely.
- Environment variable usage is okay.
- Privileged functions (setgid) are used to drop privs and are okay
  (returned errors are checked for).
- No use of cryptography / random number sources.
- Sole use of temp files in database-builder is okay, uses O_TMPFILE if
  available.
- No use of networking.
- No use of WebKit.
- No use of PolicyKit.

- No significant cppcheck results.
- No significant Coverity results, a couple of issues that could possibly
  warrant further investigation. Recommend upstream project make use of
  the public https://scan.coverity.com service.

Code generally feels modern and readable.

Security team ACK for promoting plocate to main.

Thank you Steve.

So we do not have to revert back to mlocate and I think we can mark this as "Fix Released" as the change already happened before we realized a security review is needed (see comment #4).

For the small but existing incompatibilities I think it would be great to have an entry in the release notes [1] about this. Added a bug task to reflect that.

[1]: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668