[MIR] brotli

Bug #1737053 reported by Jeremy Bicha on 2017-12-07
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
brotli (Ubuntu)
Low
Unassigned

Bug Description

Availability
============
Built for all supported architectures. In sync with Debian.

Rationale
=========
brotli is a file compression format and library developed and maintained by Google. brotli is required by the WOFF 2.0 format for compressed web fonts. brotli and woff2 are libraries that are technically already in main because they are bundled in Firefox and webkit2gtk.

The next major stable release of webkit2gtk, 2.20, will be released in March. It drops those 2 bundled libraries. I think our options are basically
1) Bundle those libraries anyway, or
2) Approve this MIR, or
3) Drop support for the WOFF2 format in webkit2gtk

Security
========
brotli is a security-sensitive library.

There was one security bug fixed recently for xenial (LP: #1737364)

https://security-tracker.debian.org/tracker/source-package/brotli
https://launchpad.net/ubuntu/+source/brotli/+cve

Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed.
- dh_auto_test runs upstream build tests. Test failure would fail the build.
- New autopkgtests pass on all arches:
http://autopkgtest.ubuntu.com/packages/b/brotli
https://ci.debian.net/packages/b/brotli/

https://bugs.launchpad.net/ubuntu/+source/brotli
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=brotli
https://github.com/google/brotli/issues

Dependencies
============
No universe binary dependencies

Standards compliance
====================
4.1.1, debhelper compat 10, dh7 simple rules

Maintenance
===========
Actively maintained:
https://github.com/google/brotli

Not team maintained in Debian.
https://tracker.debian.org/pkg/brotli

Other Info
==========
webkit2gtk is managed similar to Firefox and Chromium. So far, new releases are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu Security Team does not guarantee security support for webkit2gtk.

The woff2 MIR is LP: #1742743

We are going to need to backport brotli and woff2 into main as security updates for 16.04 LTS and 17.10. The new version of brotli adds new binary packages (in particular, the C library needed by woff2 and webkit2gtk).

brotli has no reverse dependencies in 16.04 and 17.10. (fonttools is a reverse-dependency in 18.04.)

brotli has a bizarre build system.

Jeremy Bicha (jbicha) on 2017-12-07
description: updated
tags: added: bionic
description: updated
Jeremy Bicha (jbicha) on 2017-12-08
description: updated
Jeremy Bicha (jbicha) on 2017-12-09
description: updated
Jeremy Bicha (jbicha) on 2018-01-11
description: updated
Didier Roche (didrocks) wrote :

* you need to subscribe desktop-packages
* debian/copyright references a directory that doesn't exist:
Files: appveyor/*
* not a big fan of debian/rules either with the 2 build pass, but it seems there isn't any alternative

Otherwise, the rest looks good to me.

I'm deferring for a security review to the security team.

Changed in brotli (Ubuntu):
assignee: nobody → Canonical Security Team (canonical-security)
Didier Roche (didrocks) wrote :

Ah, and bonus point for --fail-missing :)

Jeremy Bicha (jbicha) wrote :

Desktop Packages is subscribed now.

I forwarded the other 2 issues to Debian.
https://bugs.debian.org/888947
https://bugs.debian.org/888950

Jeremy Bicha (jbicha) wrote :
Jeremy Bicha (jbicha) on 2018-02-06
description: updated
Emily Ratliff (emilyr) on 2018-02-20
Changed in brotli (Ubuntu):
assignee: Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security)
Seth Arnold (seth-arnold) wrote :

I reviewed brotli version 1.0.2-3 as checked into bionic. This should not
be considered a full security audit but rather a quick gauge of
maintainability.

- brotli is a compression tool, both a library and command line
  application

- There's two CVEs, perhaps only one fault, for use in Chrome and
  Firefox. This is both a benefit (loads of people hammer these two
  projects endlessly) and a risk (getting fixes for CVEs out of these
  projects is extremely difficult.)

- Build-Depends: cmake, debhelper, dh-python, python, python-dev,
  python-setuptools, python3, python3-dev, python3-setuptools

- Does not daemonize
- Does not itself do networking
- Automatically generated pre/post rm/inst scripts
- No init scripts
- No systemd files
- No DBus services
- No setuid files
- 'brotli' executable in PATH
- No sudo fragments
- No udev rules
- A large-feeling test suite is run during the build
- No cron jobs
- Clean build logs

- No subprocesses spawned
- Careful memory management
- Most file IO under control of callers; .bro file extension code looked
  careful
- Clean logging
- No environment variable use
- Very limited privileged operations use; chmod() followed by two chown()
  calls. Perhaps there's a weakness here as these repeatedly operate on
  filenames rather than using fchmod(), fchown() on a single file
  descriptor.
- No cryptography
- No networking
- No privileged portions of code
- No temporary files
- No webkit
- No policykit
- No javascript
- cppcheck is not as clean as it could be, but reflects common C idiom.

Brotli is very dense, highly domain-specific code. It may have algorithmic
flaws that are very difficult to spot on a cursory read; that said, calls
almost universally have error checking, and the comments are tasteful. We
will need to rely upon upstream for maintenance help but the software
itself looks professionally programmed.

Security team ACK for promoting brotli to main.

Thanks

Changed in brotli (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Sebastien Bacher (seb128) wrote :

K, since MIR and security team reviews acked it I'm setting the bug as fix commited

Changed in brotli (Ubuntu):
importance: Undecided → Low
status: New → Fix Committed
Matthias Klose (doko) wrote :

package ftbfs on armhf (alignment errors)

Changed in brotli (Ubuntu):
status: Fix Committed → Incomplete
Sebastien Bacher (seb128) wrote :

@doko, that's a new issue in the updated version is bionic-proposed which is being investigated upstream, the bionic version builds fine on armhf, does it make sense in that context to block the promotion? it looks like the bionic version can be promoted and that proposed does it job and is blocking the buggy update until that one is sorted out

Jeremy Bicha (jbicha) wrote :

The upstream report for the armhf build problem is
https://github.com/google/brotli/issues/649

Matthias Klose (doko) wrote :

patch merged into the bionic package

Jeremy Bicha (jbicha) on 2018-04-07
Changed in brotli (Ubuntu):
status: Incomplete → Fix Committed
Andy Whitcroft (apw) wrote :
Download full text (5.9 KiB)

$ change-override -S -s cosmic -c main brotli
Override component to main
brotli 1.0.3-1ubuntu1 in cosmic: universe/misc -> main
brotli 1.0.3-1ubuntu1 in cosmic amd64: universe/python/optional/100% -> main
brotli 1.0.3-1ubuntu1 in cosmic arm64: universe/python/optional/100% -> main
brotli 1.0.3-1ubuntu1 in cosmic armhf: universe/python/optional/100% -> main
brotli 1.0.3-1ubuntu1 in cosmic i386: universe/python/optional/100% -> main
brotli 1.0.3-1ubuntu1 in cosmic ppc64el: universe/python/optional/100% -> main
brotli 1.0.3-1ubuntu1 in cosmic s390x: universe/python/optional/100% -> main
libbrotli-dev 1.0.3-1ubuntu1 in cosmic amd64: universe/libdevel/optional/100% -> main
libbrotli-dev 1.0.3-1ubuntu1 in cosmic arm64: universe/libdevel/optional/100% -> main
libbrotli-dev 1.0.3-1ubuntu1 in cosmic armhf: universe/libdevel/optional/100% -> main
libbrotli-dev 1.0.3-1ubuntu1 in cosmic i386: universe/libdevel/optional/100% -> main
libbrotli-dev 1.0.3-1ubuntu1 in cosmic ppc64el: universe/libdevel/optional/100% -> main
libbrotli-dev 1.0.3-1ubuntu1 in cosmic s390x: universe/libdevel/optional/100% -> main
libbrotli1 1.0.3-1ubuntu1 in cosmic amd64: universe/libs/optional/100% -> main
libbrotli1 1.0.3-1ubuntu1 in cosmic arm64: universe/libs/optional/100% -> main
libbrotli1 1.0.3-1ubuntu1 in cosmic armhf: universe/libs/optional/100% -> main ...

Read more...

Changed in brotli (Ubuntu):
assignee: nobody → Andy Whitcroft (apw)
assignee: Andy Whitcroft (apw) → nobody
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.