Release Notes for Ubuntu

Bug #1960864
Comment #7

Comment 7 for bug 1960864

Revision history for this message

Steve Beattie (sbeattie) wrote on 2022-03-08:

I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

plocate is a locate implementation based on posting lists and io_uring,
intended as a drop-in replacement for mlocate.

- No CVE History.
- Build-Depends on liburing and libzstd
- The pre/post inst/rm scripts adds a plocate group, sets up
  alternatives to place it as the locate, and sets up the systemd timer.
  Things are cleaned up in the pre/post-rm scripts.
- No init scripts.
- One systemd timer and service to run updatedb
- No dbus services
- No setuid binaries, plocate binary is setgid.
- binaries in PATH: plocate, plocate-build, and updatedb.plocate
- No sudo fragments
- No polkit files
- No udev rules
- test
  - no unit or other build-time tests
  - autopkgtests: a basic test plus a more complex test that tests
    visibility across differing users.
- One cron job that exits immediately because systemd timers are available.
- No build warnings or errors, lintian with one minor warning:
  command-with-path-in-maintainer-script

- No processes spawned.
- Memory management is okay, generally uses C++ style
  allocations / deallocations.
- File IO is mostly performed on static names or parsed out of
  /proc/self/mountinfo. The exception is the db argument to plocate;
  however, if alternate db files are passed, a child process that drops
  privilege is forked to search the passed db file.
- Logging is mostly done by perror, and is done safely.
- Environment variable usage is okay.
- Privileged functions (setgid) are used to drop privs and are okay
  (returned errors are checked for).
- No use of cryptography / random number sources.
- Sole use of temp files in database-builder is okay, uses O_TMPFILE if
  available.
- No use of networking.
- No use of WebKit.
- No use of PolicyKit.

- No significant cppcheck results.
- No significant Coverity results, a couple of issues that could possibly
warrant further investigation. Recommend upstream project make use of
the public https://scan.coverity.com service.

Code generally feels modern and readable.

Security team ACK for promoting plocate to main.

I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

plocate is a locate implementation based on posting lists and io_uring,
intended as a drop-in replacement for mlocate.

- No significant cppcheck results.
- No significant Coverity results, a couple of issues that could possibly
  warrant further investigation. Recommend upstream project make use of
  the public https://scan.coverity.com service.

Code generally feels modern and readable.

Security team ACK for promoting plocate to main.