[MIR] content-hub

Bug #1597453 reported by Ken VanDine on 2016-06-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
High
Unassigned
content-hub (Ubuntu)
Undecided
Mathieu Trudel-Lapierre

Bug Description

[Availability]
 * Available in universe

[Rationale]
 * This package is required by unity8

[Security]
 * No known security issues at this time. It has been reviewed by security in the past for use on the phone.

[Quality assurance]
 * This package has both unit tests and autopkgtests

[Dependencies]
 Most dependencies are already in main with the exception of the following:
 * ubuntu-download-manager (bug #1488425)
 * qtbase-opensource-src-gles (the non-gles variant is in main) (doesn't need a MIR?)

[Standards compliance]
 * This package uses cmake and is properly translated.

[Maintenance]
 * This package is maintained by Canonical and actively in use on the phone images

Related branches

description: updated
Michael Terry (mterry) on 2016-06-30
Changed in content-hub (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)

Blockers:
 - I'm concerned about the number of bugs open; we should have an idea whether they are all really still issues. There are a few older bugs with no response at all, or no change in months.
 - Security team should explicitly sign-off on the review that was previously done, since this package is the basis for the security story behind how applications retrieve files on the system.
 - This is blocked on the MIR for ubuntu-download-manager still: https://bugs.launchpad.net/ubuntu/+source/ubuntu-download-manager/+bug/1488425

Changed in content-hub (Ubuntu):
status: New → Incomplete
Ken VanDine (ken-vandine) wrote :

The bulk of the bugs are actually feature requests.

Sebastien Bacher (seb128) wrote :

security team gave their ack on the trello board

Sebastien Bacher (seb128) wrote :

changing back to New, security is ok it seems and Ken commented on the bugs being feature requests ... was there anything else on content-hub itself to resolve?

Changed in content-hub (Ubuntu):
status: Incomplete → New

N: Processing binary package libcontent-hub0 (version 0.2+16.10.20160830-0ubuntu1, arch amd64) ...
I: libcontent-hub0: hardening-no-bindnow usr/lib/x86_64-linux-gnu/libcontent-hub.so.0.2.0
I: libcontent-hub0: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libcontent-hub.so.0.2.0

N: Processing binary package qtdeclarative5-ubuntu-content1 (version 0.2+16.10.20160830-0ubuntu1, arch amd64) ...
I: qtdeclarative5-ubuntu-content1: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/qml/Ubuntu/Content/libubuntu-content-hub-plugin.so

Are these expected? Please fix if possible. Otherwise I see no other issues with content-hub.

Ken VanDine (ken-vandine) wrote :

@cyphermox: I don't get that from lintian on xenial, is that new for yakkety?

Changed in canonical-devices-system-image:
status: New → Fix Committed
status: Fix Committed → In Progress
importance: Undecided → High

I still see this issue from lintian:
I: libcontent-hub0: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libcontent-hub.so.0.2.0

However, as discussed the -D_FORTIFY_SOURCE=2 option is properly passed at build time, and we no longer have the lintian warning about bindnow, which seems to indicate that hardening options are correctly being passed.

Please file a bug about this and seek help from the Security Team to figure out why this is either a false-positive or otherwise broken (could it be because cmake is doing something special?).

In the meantime, I believe it is fine to accept the MIR despite this issue, as it *is* being worked on and the package looks fine otherwise.

Changed in content-hub (Ubuntu):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package content-hub - 0.2+16.10.20160914-0ubuntu1

---------------
content-hub (0.2+16.10.20160914-0ubuntu1) yakkety; urgency=medium

  * Build with hardening=+all (LP: #1597453)

 -- Ken VanDine <email address hidden> Wed, 14 Sep 2016 14:30:52 +0000

Changed in content-hub (Ubuntu):
status: Fix Committed → Fix Released
Michael Terry (mterry) on 2016-09-16
Changed in content-hub (Ubuntu):
status: Fix Released → Fix Committed
Changed in canonical-devices-system-image:
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
Steve Langasek (vorlon) wrote :
Download full text (3.9 KiB)

Override component to main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety: universe/libs -> main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety amd64: universe/libs/optional/100% -> main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety arm64: universe/libs/optional/100% -> main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety armhf: universe/libs/optional/100% -> main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety i386: universe/libs/optional/100% -> main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety powerpc: universe/libs/optional/100% -> main
content-hub 0.2+16.10.20160914-0ubuntu1 in yakkety ppc64el: universe/libs/optional/100% -> main
content-hub-testability 0.2+16.10.20160914-0ubuntu1 in yakkety amd64: universe/libdevel/optional/100% -> main
content-hub-testability 0.2+16.10.20160914-0ubuntu1 in yakkety arm64: universe/libdevel/optional/100% -> main
content-hub-testability 0.2+16.10.20160914-0ubuntu1 in yakkety armhf: universe/libdevel/optional/100% -> main
content-hub-testability 0.2+16.10.20160914-0ubuntu1 in yakkety i386: universe/libdevel/optional/100% -> main
content-hub-testability 0.2+16.10.20160914-0ubuntu1 in yakkety powerpc: universe/libdevel/optional/100% -> main
content-hub-testability 0.2+16.10.20160914-0ubuntu1 in yakkety ppc64el: universe/libdevel/optional/100% -> main
libcontent-hub-dev 0.2+16.10.20160914-0ubuntu1 in yakkety amd64: universe/libdevel/optional/100% -> main
libcontent-hub-dev 0.2+16.10.20160914-0ubuntu1 in yakkety arm64: universe/libdevel/optional/100% -> main
libcontent-hub-dev 0.2+16.10.20160914-0ubuntu1 in yakkety armhf: universe/libdevel/optional/100% -> main
libcontent-hub-dev 0.2+16.10.20160914-0ubuntu1 in yakkety i386: universe/libdevel/optional/100% -> main
libcontent-hub-dev 0.2+16.10.20160914-0ubuntu1 in yakkety powerpc: universe/libdevel/optional/100% -> main
libcontent-hub-dev 0.2+16.10.20160914-0ubuntu1 in yakkety ppc64el: universe/libdevel/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety amd64: universe/doc/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety arm64: universe/doc/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety armhf: universe/doc/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety i386: universe/doc/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety powerpc: universe/doc/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety ppc64el: universe/doc/optional/100% -> main
libcontent-hub-doc 0.2+16.10.20160914-0ubuntu1 in yakkety s390x: universe/doc/optional/100% -> main
libcontent-hub0 0.2+16.10.20160914-0ubuntu1 in yakkety amd64: universe/libs/optional/100% -> main
libcontent-hub0 0.2+16.10.20160914-0ubuntu1 in yakkety arm64: universe/libs/optional/100% -> main
libcontent-hub0 0.2+16.10.20160914-0ubuntu1 in yakkety armhf: universe/libs/optional/100% -> main
libcontent-hub0 0.2+16.10.20160914-0ubuntu1 in yakkety i386: universe/libs/optional/100% -> main
libcontent-hub0 0.2+16.10.20160914-0ubuntu1 in yakkety powerpc: universe/libs/optional/100% -> main
libcontent...

Read more...

Changed in content-hub (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers