Ubuntu
add-nvidia-repositories package

[SRU] Make add-nvidia-repositories available in jammy and noble

Bug #2089830 reported by Tomáš Virtus
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
add-nvidia-repositories (Ubuntu)
Won't Fix
Undecided
Unassigned
Jammy
Won't Fix
Undecided
Unassigned
Noble
Won't Fix
Undecided
Unassigned

Bug Description

[ Impact ]

 * add-nvidia-repositories is a convenience tool for enabling NVIDIA repositories. It's targeted primarily to users who need to use NVIDIA CUDA and other libraries for artificial intelligence / machine learning / GPU compute tasks. It is our understanding that majority of these users prefer to run on stable releases and hence access to this package would be beneficial for them. It is more convenient for Ubuntu users to enable NVIDIA repositories by running "sudo apt-get install add-nvidia-repositories && sudo add-nvidia-repositories" then by following the official instructions (https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#network-repo-installation-for-ubuntu).

[ Test Plan ]

 * This is a NEW package.

 * Scenario 1 (jammy/noble):

   1. Install the package with

      sudo apt-get install add-nvidia-repositories

      The package is available in plucky. You might install it from there.

   2. Run the tool

      sudo add-nvidia-repositories

   3. Verify that the command displays a warning and waits for user acknowledgment.

   4. Acknowledge the prompt by typing "Y" followed by Return

   5. Verify that the tool exited successfully by checking that $? variable is 0

   6. Verify that the cuda-toolkit package is available:

      $ apt-get show cuda-toolkit

      Package: cuda-toolkit
      Version: 12.6.3-1
      Priority: optional
      Section: multiverse/devel
      Maintainer: cudatools <email address hidden>
      Installed-Size: 9216 B
      Depends: cuda-toolkit-12-6 (>= 12.6.3)
      Download-Size: 2726 B
      APT-Sources: https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64 Packages
      Description: CUDA Toolkit meta-package
        Meta-package containing all the available toolkit packages related to native
        CUDA development. Contains the toolkit, samples, and documentation.
        This meta package will install CUDA Toolkit version 12.5
        and allows you to upgrade to next release.

 * Scenario 2 (jammy/noble):

   1. Do the step 1 from Scenario 1

   2. Run the tool in non-interactive mode

      sudo add-nvidia-repositories -y

   3. Verify that the command displays a warning and finishes successfully

   4. Do the step 6 from Scenario 1

 * Scenario 3 (jammy/noble):

   1. Do the step 1 from Scenario 1

   2. Display the tool help

      add-nvidia-repositories -h

   3. Verify that the usage and part of the warning is displayed as from the output in step 3 in Scenario 1

[ Where problems could occur ]

 * This is a NEW package and therefore there's no potential for regression in this specific package.

 * The package only places a new executable at /usr/bin/add-nvidia-repositories

 * The package may appear as an additional package in available package lists, and some "security" scanners may report it as a change

 * The package installs a tool that must be run with superuser privileges and therefore bugs in it can have serious consequences. If there is a security bug and the tool is invoked with superuser privileges by incident or by tricking the system into it, the bug could be exploited.

[ Other Info ]

 * The tool is currently included in non-packaged form in some cloud images produced by https://launchpad.net/~cloud-images team. It has been tested on these clouds.

 * This (SRU backport) is only for LTS releases - currently Noble and Jammy.

See original description
Tomáš Virtus (virtustom)
summary: - [SRU] Make add-nvidia-repositories available in noble
+ [SRU] Make add-nvidia-repositories available in jammy and noble
description: updated
Tomáš Virtus (virtustom)
description: updated
Utkarsh Gupta (utkarsh)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

accepted, please test once it shows up in the archive

Changed in add-nvidia-repositories (Ubuntu):
status: New → Fix Released
Changed in add-nvidia-repositories (Ubuntu Jammy):
status: New → Fix Committed
Changed in add-nvidia-repositories (Ubuntu Noble):
status: New → Fix Committed
tags: added: verification-needed-jammy verification-needed-noble
Revision history for this message
Tomáš Virtus (virtustom) wrote :
tags: added: verification-done verification-done-jammy verification-done-noble
removed: verification-needed-jammy verification-needed-noble
tags: removed: verification-done
Revision history for this message
Tomáš Virtus (virtustom) wrote :
Revision history for this message
Tomáš Virtus (virtustom) wrote :

Hello Timo. I've performed the verification on jammy and noble by installing the package from proposed, then checking whether the package cuda-toolkit has NVIDIA maintainers, and then checking that there is a NVIDIA repository with policy 400.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm concerned about this bit in particular[1]:

  wget "$keyring_url" -O /tmp/cuda-keyring.deb
  dpkg -i /tmp/cuda-keyring.deb
  rm /tmp/cuda-keyring.deb

That's a classic predictable-name-in-tmp security issue.

1. https://git.launchpad.net/ubuntu/+source/add-nvidia-repositories/tree/add-nvidia-repositories#n112

Revision history for this message
Robie Basak (racb) wrote :

Can this functionality not be added to software-properties-common using add-apt-repository, instead of adding yet another package? We already have some "third party" repositories supported that way, for example the Canonical Cloud Archive.

Please do not SRU this until that question is resolved, since once in stable releases, especially LTSes, we'll be stuck with needing a backwards compatibility alias for a very long time if we choose to go that other path.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ubuntu Security, please weigh in on this one

tags: added: block-proposed-jammy block-proposed-noble
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I strongly dislike this mechanism. We should strive to provide better guarantees of authenticity and origin than the TLS checks that wget probably does in this script.

I would much prefer if we were to mimic these other packages for packaging of key material:

- ubuntu-keyring
- ubuntu-dbgsym-keyring
- ubuntu-oem-keyring
- ubuntukylin-keyring
- debian-archive-keyring
- debian-ports-archive-keyring
- leap-archive-keyring
- ubuntu-cloud-keyring

.. and mimic these other packages for packaging of the APT configuration:

- oem-somerville-lapras-13-meta:
- oem-somerville-magmar-meta:
- oem-somerville-muk-meta:
...

Put another way, I think if this software is going to deviate so drastically from our existing norms, it needs to have a very compelling reason why it's different.

Thanks

Revision history for this message
Robie Basak (racb) wrote :

Thank you for the feedback! This bug is rapidly getting overloaded so I've filed separate bugs to track these:

Misuse of /tmp could result in root privilege escalation: bug 2100494
Poor guarantees of authenticity and origin: bug 2100495
Duplicates functionality of add-apt-repository: bug 2100496

These sorts of things really ought to be sorted in the development release *before* proceeding with an SRU, so I don't think the SRU should proceed with them further without resolving them first. Sorry if that's frustrating. I think it's worth considering carefully why these things weren't caught earlier at peer review stage before this code first landed into Plucky.

tags: added: verification-failed-jammy
removed: verification-done-jammy
tags: added: verification-failed-noble
removed: verification-done-noble
Revision history for this message
Tomáš Virtus (virtustom) wrote :

Hello everyone and thank you very much for detailed feedback. I am going to purse the path you recommended, that is, a separate packages for keyrings and APT configuration. It definitely makes more sense than this script.

What should we do with the package in Plucky though?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

We have a meeting about this issue next week to discuss details.

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Proposed package removed from archive

The version of add-nvidia-repositories in the proposed pocket of Noble that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in add-nvidia-repositories (Ubuntu Noble):
status: Fix Committed → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

> What should we do with the package in Plucky though?

Seems to me it should be removed unless there is a good reason to keep it. That will save the burden of maintaining a tool in a stable release if there is no long term intention to keep this specific mechanism (as opposed to a better integrated alternative).

Revision history for this message
Tomáš Virtus (virtustom) wrote :

I talked with Andreas and Seth and we reached a conclusion that if I fix all the reported bugs and maintaining and verify checksums, it'd be worthwhile to have it in the archive. But I'm afraid it won't happen before the beta freeze. In which case, I think it should be removed for plucky.

Revision history for this message
Robie Basak (racb) wrote :

> ...if I fix all the reported bugs and maintaining and verify checksums, it'd be worthwhile to have it in the archive

But why isn't this going to be inside add-apt-repository instead, then, which is bug 2100496?

Revision history for this message
Robie Basak (racb) wrote :

I filed removal bug 2103602.

Revision history for this message
Robie Basak (racb) wrote :

Also I think this needs removing from jammy-proposed?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The version of add-nvidia-repositories in the proposed pocket of Jammy that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in add-nvidia-repositories (Ubuntu Jammy):
status: Fix Committed → Confirmed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Also I think this needs removing from jammy-proposed?

Done. I wanted to wait 10 days so I could use:

  sru-remove --reason=failed -s jammy -p add-nvidia-repositories 2089830

:)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The add-nvidia-repositories package was removed, see https://bugs.launchpad.net/ubuntu/+source/add-nvidia-repositories/+bug/2103602

Changed in add-nvidia-repositories (Ubuntu Noble):
status: Confirmed → Won't Fix
Changed in add-nvidia-repositories (Ubuntu Jammy):
status: Confirmed → Won't Fix
Changed in add-nvidia-repositories (Ubuntu):
status: Fix Released → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.