[MIR] dbus-broker
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dbus-broker (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package dbus-broker is already in Ubuntu universe.
The package dbus-broker build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https:/
[Rationale]
- The package dbus-broker is required in Ubuntu main to replace dbus-daemon.
- The package dbus-broker will generally from server to desktop.
- Package dbus-broker covers the same use case as dbus-daemon but is a better alternative for the reason described in https:/
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The package dbus-broker is required in Ubuntu main no later than august due to FF, ideally we would like land it earlier in the cycle
[Security]
- Had 2 security issues in the past
1.
https:/
https:/
https:/
2.
https:/
https:/
https:/
Those reports seem to have been fixed in timelined fashion upstream. The issues are resolved in Ubuntu in series > Kinetic
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
/lib/systemd/
/usr/lib/
The system unit use the following systemd security features
OOMScoreAdjust=-900
LimitNOFILE=16384
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail
Ok: 46
Expected Fail: 0
Fail: 0
Unexpected Pass: 0
Skipped: 0
Timeout: 0
- The package runs an autopkgtest, and is currently passing on
amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
https:/
- The package does have not failing autopkgtests right now
- The autopkgtest is the running the upstream testsuite so is not trivial
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer since it's in sync from Debian
- The package has no lintian warnings
# lintian --pedantic
#
- Please link to a recent build log of the package
https:/
`lintian --pedantic` as an extra post to this bug.
- Lintian overrides are present
# dbus-broker only supports systemd
dbus-broker: maintainer-
dbus-broker: package-
# need to override dh_installsystemd
dbus-broker: maintainer-
dbus-broker: maintainer-
# matches dbus-daemon package, activated by socket
dbus-broker: systemd-
Those have to do with the fact that package is set to work only with systemd, that's not an issue in Ubuntu since we don't support alternative init systems anyway
Also the service shouldn't be stopped on package removal to avoid seeing the user session close
https:/
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Teams will be foundations and desktop
- desktop-packages is already subscribed to the package, we will get foundations added
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dbus-broker
Link to upstream project https:/
The apparmor integration patch in review upstream on https:/
CVE References
description: | updated |
Changed in dbus-broker (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
tags: | added: sec-1969 |
tags: |
added: rls-nn-incoming removed: rls-mm-incoming |
tags: |
added: rls-oo-incoming removed: rls-nn-incoming |
Review for Package: src:dbus-broker
[Summary]
dbus-broker can be considered a drop-in replacement for dbus-daemon, the
reference implementation of the DBus protocol. It is supposed a more modern,
faster and safer alternative.
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: dbus-broker
Specific binary packages built, but NOT to be promoted to main: None
Notes:
- This needs security review because of data-structure parsing, out-of-tree
patch (see below), usage of setuid & embedded sources (which can be considered
part of the project, though).
Required TODOs:
- None
Recommended TODOs:
- consider dropping privileges via systemd unit configuration instead of setuid
- dbus-broker is supposed to be a drop in replacement; try copying/migrating
some autopkgtests from src:dbus (especially the apparmor one, as we will
carry some related modifications)
[Duplication]
There is no other package in main providing the same functionality, BUT src:dbus
which we're trying replace.
Other (deprecated) alternatives include kdbus and bus1 kernel-space
implementations of the broker daemon or gdbus-daemon.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking] /mesonbuild. com/Subprojects .html
OK:
- no static linking (but embedded subprojects, see below)
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Includes vendored code, the package has documented how to refresh this
code at: https:/
Problems: /github. com/c-util subprojects] "
- embedded source present (several tiny C utils, which are not otherwise
part of the Ubuntu archive): https:/
$ tree -d subprojects/ | grep "[libc|
subprojects/
├── libcdvar-1
│ ├── src
│ └── subprojects
├── libcini-1
│ ├── src
│ └── subprojects
├── libclist-3
│ └── src
├── libcrbtree-3
│ ├── src
│ │ └── docs
│ └── subprojects
├── libcshquote-1
│ ├── src
│ └── subprojects
├── libcstdaux-1
│ └── src
│ └── docs
└── libcutf8-1
├── src
└── subprojects
21 directories
But, quoting ./NEWS.md (CHANGES WITH v30):
dbus- broker. Any critical update to any subproject will cause a new
All subprojects are still statically linked and considered part of
release of dbus-broker, as it always did. Distributions are not
required to monitor the subprojects manually."
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root (it uses the "messagebus" user)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized...