I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
plocate is a locate implementation based on posting lists and io_uring,
intended as a drop-in replacement for mlocate.
- No CVE History.
- Build-Depends on liburing and libzstd
- The pre/post inst/rm scripts adds a plocate group, sets up
alternatives to place it as the locate, and sets up the systemd timer.
Things are cleaned up in the pre/post-rm scripts.
- No init scripts.
- One systemd timer and service to run updatedb
- No dbus services
- No setuid binaries, plocate binary is setgid.
- binaries in PATH: plocate, plocate-build, and updatedb.plocate
- No sudo fragments
- No polkit files
- No udev rules
- test
- no unit or other build-time tests
- autopkgtests: a basic test plus a more complex test that tests
visibility across differing users.
- One cron job that exits immediately because systemd timers are available.
- No build warnings or errors, lintian with one minor warning:
command-with-path-in-maintainer-script
- No processes spawned.
- Memory management is okay, generally uses C++ style
allocations / deallocations.
- File IO is mostly performed on static names or parsed out of
/proc/self/mountinfo. The exception is the db argument to plocate;
however, if alternate db files are passed, a child process that drops
privilege is forked to search the passed db file.
- Logging is mostly done by perror, and is done safely.
- Environment variable usage is okay.
- Privileged functions (setgid) are used to drop privs and are okay
(returned errors are checked for).
- No use of cryptography / random number sources.
- Sole use of temp files in database-builder is okay, uses O_TMPFILE if
available.
- No use of networking.
- No use of WebKit.
- No use of PolicyKit.
- No significant cppcheck results.
- No significant Coverity results, a couple of issues that could possibly
warrant further investigation. Recommend upstream project make use of
the public https://scan.coverity.com service.
I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
plocate is a locate implementation based on posting lists and io_uring,
intended as a drop-in replacement for mlocate.
- No CVE History. with-path- in-maintainer- script
- Build-Depends on liburing and libzstd
- The pre/post inst/rm scripts adds a plocate group, sets up
alternatives to place it as the locate, and sets up the systemd timer.
Things are cleaned up in the pre/post-rm scripts.
- No init scripts.
- One systemd timer and service to run updatedb
- No dbus services
- No setuid binaries, plocate binary is setgid.
- binaries in PATH: plocate, plocate-build, and updatedb.plocate
- No sudo fragments
- No polkit files
- No udev rules
- test
- no unit or other build-time tests
- autopkgtests: a basic test plus a more complex test that tests
visibility across differing users.
- One cron job that exits immediately because systemd timers are available.
- No build warnings or errors, lintian with one minor warning:
command-
- No processes spawned. self/mountinfo. The exception is the db argument to plocate;
- Memory management is okay, generally uses C++ style
allocations / deallocations.
- File IO is mostly performed on static names or parsed out of
/proc/
however, if alternate db files are passed, a child process that drops
privilege is forked to search the passed db file.
- Logging is mostly done by perror, and is done safely.
- Environment variable usage is okay.
- Privileged functions (setgid) are used to drop privs and are okay
(returned errors are checked for).
- No use of cryptography / random number sources.
- Sole use of temp files in database-builder is okay, uses O_TMPFILE if
available.
- No use of networking.
- No use of WebKit.
- No use of PolicyKit.
- No significant cppcheck results. /scan.coverity. com service.
- No significant Coverity results, a couple of issues that could possibly
warrant further investigation. Recommend upstream project make use of
the public https:/
Code generally feels modern and readable.
Security team ACK for promoting plocate to main.