[MIR] dhcpcd

I suggest waiting until dhcpcd 10.0.1 has been uploaded to Debian and imported into Ubuntu before switching the default DHCP client. It should also be noted that Debian will migrate the source:pkg to dhcpcd (i.e.drop the 5) starting with the 10.0.1 upload.

@Martin-Éric This bug is not about switching default DHCP client, it's prerequisite. Only when dhcpcd is in Ubuntu main, we would consider changing various components (like initramfs, cloud-init, network-manager) in Ubuntu to use dhcpcd. This bug is for reviewing the quality of dhcpcd before promoting it to main.

However it's great to have you involved in this process.

I'm staging some changes in my PPA https://launchpad.net/~zhsj/+archive/ubuntu/dhcpcd5

dhcpcd5 (9.4.1-21ubuntu2) mantic; urgency=medium

  * Drop incompatible ntpd integration.
    No longer working after ntpd was replaced by ntpsec.
  * Fix autopkgtests
    + Use bind-interfaces in dnsmasq conf
    + Wait until ntp server is reloaded

dhcpcd5 (9.4.1-21ubuntu1) mantic; urgency=medium

  [ Martin-Éric Racine ]
  * Migrate debian/watch to Github in cadence with upstream.

  [ Shengjing Zhu ]
  * Remove Conflicts/Replaces dhcp-client

The autopkgtest now pass on amd64, arm64, armhf, s390x.
However on ppc64el, the package ends up with "Bad system call (core dumped)".

  - dhcpcd5/9.4.1-21ubuntu2
    + ✅ dhcpcd5 on mantic for amd64 @ 16.05.23 10:15:50
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-zhsj-dhcpcd5/mantic/amd64/d/dhcpcd5/20230516_101550_35dd5@/log.gz
    + ✅ dhcpcd5 on mantic for arm64 @ 16.05.23 08:59:31
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-zhsj-dhcpcd5/mantic/arm64/d/dhcpcd5/20230516_085931_e152f@/log.gz
    + ✅ dhcpcd5 on mantic for armhf @ 16.05.23 08:19:01
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-zhsj-dhcpcd5/mantic/armhf/d/dhcpcd5/20230516_081901_f7f4d@/log.gz
    + ❌ dhcpcd5 on mantic for ppc64el @ 16.05.23 08:33:23
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-zhsj-dhcpcd5/mantic/ppc64el/d/dhcpcd5/20230516_083323_abad0@/log.gz
    + ✅ dhcpcd5 on mantic for s390x @ 16.05.23 11:06:03
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-zhsj-dhcpcd5/mantic/s390x/d/dhcpcd5/20230516_110603_d5dc6@/log.gz

Review for Package: dhcpcd5

[Summary]

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
And let me be clear, while I have a few small requests here and there
it looks much better than the isc-dhcp-client it is replacing.
So please do not consider this a set-back, but a motivational list of todos :-)

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: dhcpcd-base
Specific binary packages built, but NOT to be promoted to main: dhcpcd, dhcpcd5

Recommended TODOs:
- #1 please clarify if you even want/need the binary package dhcpcd, AFAICS
  none of the use cases you listed to replace in FO092 are needing a service
  to run on all interfaces. Maybe I'm wrong - it would be helpful to know what
  to expect - will a future system have dhcpcd and run this on all interfaces
  or just dhcpcd-base to call the client as needed on specific interfaces.
- #2 The package should get a team bug subscriber before being promoted

Required TODOs:
- #3 While I understand that the majority of todays test blockers are due to
  package dependencies you'll need to get them running and working. The plan is
  to get this into main in 23.10 and only do the replacement in 24.04. That
  means there should be some way to get this testable (like not uninstalling
  ubuntu-minimal) in 23.10 as well.
   You already started the needed changes in the linked Debian bug discussions
- #4 please fix d/watch to use github tags from
  https://github.com/NetworkConfiguration/dhcpcd/tags
  (it is broken right now)
- #5 please update the packge to something more recent. For now Debian was
  in a freeze which explains it to some extent. But we should start and stay
  recent. (There is also nothing recent in experimental so far.)

[Duplication]
There is an obvious package in main providing the same functionality being
isc-dhcpi-client, but the whole reason to do this is to supersede that.
So this aspect is fine.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- history of CVEs does look concerning, but given that this is a commonly
  attacked code also not too much to block it (other dhcp implementations
  are simil...

> #1 please clarify if you even want/need the binary package dhcpcd,

only bin:dhcpcd-base is needed.

> #3 While I understand that the majority of todays test blockers are due to
  package dependencies you'll need to get them running and working.

https://autopkgtest.ubuntu.com/packages/d/dhcpcd5 is green on mantic now.

> #4 please fix d/watch to use github tags from

Fixed in 9.4.1-22ubuntu1

Fixed in 9.4.1-24 on Debian.

Please note that the source package is now called 'dhcpcd'. The 5 has been dropped from the name starting with Debian 10.0.1-1.

I reviewed dhcpcd5 9.4.1-24 as checked into mantic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

dhcpcd5 is a DHCP client (for both IPv4 and IPv6 hosts) and a IPv4LL client. It silently configures the network in a computer and requires mostly no configuration to do so.

- CVE History:
  - Has a few CVEs attributed to it in the past (15).
  - Patches for CVEs are not as clear/easy to find in older CVEs, but since 2019 it seems like upstream has adopted a more organized system in order to patch vulnerabilities, providing the appropriate commits and including messages that explain the issue.
  - Most recent CVE is from 2019.
  - Upstream is active and frequently applying fixes.
- Build-Depends:
  - libudev-dev, debhelper-compat, pkg-config
  - Does not depend on encryption libraries directly, however, this is because during the configure step, there is a check for the presence of certain libraries, and if they do not exist, they are recovered from the '/compat' directory, which in turn contains a '/crypt' directory. This directory contains C files with hashing functions that are to be used by dhcpcd5. The SHA256 files seems to be recovered from 'libscrypt', which is a package available in Ubuntu. The MD5 and HMAC functions seem to have been implemented for NetBSD and I cannot find a package which implements the functions in those files, only coming across packages that do the same as dhcpcd5 and have an internal copy of the code. Possibly package 'util-linux'? TODO: possibly finding if we have packages which contains the functions recovered from 'compat'.
  - Other dependencies in this directory include functions available through 'libbsd', like the 'arc4random' random number generator function and some string functions. If the libraries that provide these functions are not set as dependencies for the package, this means that maintenance of this package might involve keeping a close eye in this "outside" functions, as they could be susceptible to vulnerabilities as well.
- pre/post inst/rm scripts:
  - They seem to run regular set up and clean up actions, other than additional commands included in order to prepare the system for privilege separation.
  - dhcpcd/preinst: sets 'dhcpcd' in 'init.d' as executable if an 'install' command is executed and if the file exists. Ends 'dhcpcd.service' if 'systemd' is in the system and if it is running, and in case of an upgrade.
  - dhcpdcd/postinst: if a 'configure' is run or an 'abort' (upgrade, configure or remove) command is run, will enable/(set '+x' permission) dhcpcd service/(to 'init.d' dhcpcd file).
  - dhcpdcd/postrm: disables dhcpcd service in 'init.d' if a 'remove' command (by removing execution flag), and deletes the file completely if the command is a 'purge'. Does the equivalent to the systemd service.
  - dhcpcd-base/postinst: creates a 'dhcpcd' system user with no shell. Runs the dhcpcd daemon.
  - dhcpcd-base/postrm: deletes 'dhcpcd' system user IF 'deluser' exists. Presents system message if the user is not deleted. Removes directory where dhcpcd stores leases and DUIDs.
- init scripts:
  - Creates './etc/init.d/dhcpcd' (which is expected sinc...

From a FIPS POV it looks mostly ok so far. I am currently looking into modifying the package dependencies to use system libraries for sha and arc4random. I am planning to upload a diff for that later.

Thanks Tobias. It is probably the safest option to remove the 'compat' directory before the build to ensure that it is not used. If you need help, let me know.

I found that we can use libmd instead of the bundled compat/ sha implementations and opened a Debian PR here: https://salsa.debian.org/debian/dhcpcd/-/merge_requests/2
libmd is not currently cerified but it is included in main and thus gets the full security team CVE treatment. Besides, when it comes to cryptography we want to have as few different implementations as possible.

With 10.0.1-1 from Debian the configure script also seems to pick up arc4random from libc, which is another huge improvement.

@bdrung I like that idea. We can't drop the whole thing but with compat/arc4random* and compat/crypt removed we would reduce the risk of a future update pulling in the wrong implementations.

dhcpcd 10.0.1-1 passed Debian NEW and is synced to Ubuntu. This version got the source package renamed from dhcpcd5 to dhcpcd.

Update from security-certs: I have started working on a larger patch to use openssl for the crypto operations here: https://github.com/NetworkConfiguration/dhcpcd/pull/223
With that it should work out of the box on certified systems because all the checks are implemented in the library.

"In progress" means this would be ready, but it isn't having a few requests open to be addressed.
Setting to incomplete until provided for final sign off.

I could already add the Build-Depends on libmd-dev at Debian. This would solve the crypto issue. It can always be changed to use OpenSSL later on.

The BSD compat wrapper issue remains. As far as I can tell, libbsd-dev is only partially found by ./configure.

Btw, Debian now has 10.0.2-1 which fixes a number of bugs.

So it looks like we're (only?) waiting on a FIPS related TODO here that @tobhe is working on (cc @bdrung).

See comment #10 & https://salsa.debian.org/debian/dhcpcd/-/merge_requests/4

Assigning to Tobias for now.

bump. This should now be ready for MIR approval IMO

Thanks everyone, my concerns are resolved with the newest version. Setting it back to "In progress".

debian/watch from dhcpcd 1:10.0.2-3ubuntu1 is working for me.

Checking if all is in place:

MIR Required TODOs:
- ok - #3 Tests active now (red atm, but you'll need to get these green to migrate)
- ok - #4 d/watch is fixed
- ok - #5 package was updated to the most recent

MIR Recommended TODOs:
- ok - #1 clarified - just dhcpcd-base
- ok - #2 foundations-bugs is subscribed

Security TODOs
- ok - is CONFIG_SECCOMP_FILTER enabled (it is on in Ubuntu kernels)
- ok - reduce use of crypto code from compat directory (done in 10.0.2-3ubuntu1)
- ok - ensure 'open_memstream' is used (present in build and provided by libc)
- ok - Security certification team ack - given in comment #21

It is also shown in component mismatches, so it could be state "Fix Committed" and waiting for promotion.
This is valid for 1:10.0.2-3ubuntu2 (which has all changes required above) in mantic-proposed which should carry "being in main" over to -release once it migrates.

As requested just source + dhcpcd-base in mantic-proposed for now.

Override component to main
dhcpcd 1:10.0.2-3ubuntu2 in mantic: universe/misc -> main
Override [y|N]? y
1 publication overridden.

Override component to main
dhcpcd-base 1:10.0.2-3ubuntu2 in mantic amd64: universe/net/optional/100% -> main
dhcpcd-base 1:10.0.2-3ubuntu2 in mantic arm64: universe/net/optional/100% -> main
dhcpcd-base 1:10.0.2-3ubuntu2 in mantic armhf: universe/net/optional/100% -> main
dhcpcd-base 1:10.0.2-3ubuntu2 in mantic ppc64el: universe/net/optional/100% -> main
dhcpcd-base 1:10.0.2-3ubuntu2 in mantic riscv64: universe/net/optional/100% -> main
dhcpcd-base 1:10.0.2-3ubuntu2 in mantic s390x: universe/net/optional/100% -> main
Override [y|N]? y
6 publications overridden.

10.0.4-1 eliminates the Ubuntu diff.