| 2023-08-14 10:56:03 |
Benjamin Drung |
bug |
|
|
added bug |
| 2023-08-14 10:56:27 |
Benjamin Drung |
bug |
|
|
added subscriber MIR approval team |
| 2023-08-15 14:45:52 |
Christian Ehrhardt |
dracut (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2023-08-15 15:16:28 |
Benjamin Drung |
description |
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core: https://github.com/snapcore/core-initrd/
The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https://ubuntu.com/security/CVE-2016-8637 can disclose local information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
- https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
- https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
- https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
- /lib/systemd/system/dracut-cmdline.service
- /lib/systemd/system/dracut-initqueue.service
- /lib/systemd/system/dracut-mount.service
- /lib/systemd/system/dracut-pre-mount.service
- /lib/systemd/system/dracut-pre-pivot.service
- /lib/systemd/system/dracut-pre-trigger.service
- /lib/systemd/system/dracut-pre-udev.service
- /lib/systemd/system/dracut-shutdown-onfailure.service
- /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
- Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
Upstream has test cases in the test directory, but they are not run during build or as autopkgtest. I am currently looking into how to make them run.
RULE: - The package must include a non-trivial test suite
RULE: - it should run at package build and fail the build if broken
TODO-A: - The package runs a test suite on build time, if it fails
TODO-A: it makes the build fail, link to build log TBD
TODO-B: - The package does not run a test at build time because TBD
RULE: - The package should, but is not required to, also contain
RULE: non-trivial autopkgtest(s).
TODO-A: - The package runs an autopkgtest, and is currently passing on
TODO-A: this TBD list of architectures, link to test logs TBD
TODO-B: - The package does not run an autopkgtest because TBD
RULE: - existing but failing tests that shall be handled as "ok to fail"
RULE: need to be explained along the test logs below
TODO-A: - The package does have not failing autopkgtests right now
TODO-B: - The package does have failing autopkgtests tests right now, but since
TODO-B: they always failed they are handled as "ignored failure", this is
TODO-B: ok because TBD
RULE: - If no build tests nor autopkgtests are included, and/or if the package
RULE: requires specific hardware to perform testing, the subscribed team
RULE: must provide a written test plan in a comment to the MIR bug, and
RULE: commit to running that test either at each upload of the package or
RULE: at least once each release cycle. In the comment to the MIR bug,
RULE: please link to the codebase of these tests (scripts or doc of manual
RULE: steps) and attach a full log of these test runs. This is meant to
RULE: assess their validity (e.g. not just superficial).
RULE: If possible such things should stay in universe. Sometimes that is
RULE: impossible due to the way how features/plugins/dependencies work
RULE: but if you are going to ask for promotion of something untestable
RULE: please outline why it couldn't provide its value (e.g. by splitting
RULE: binaries) to users from universe.
RULE: This is a balance that is hard to strike well, the request is that all
RULE: options have been exploited before giving up. Look for more details
RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30
RULE: Just like in the SRU process it is worth to understand what the
RULE: consequences a regression (due to a test miss) would be. Therefore
RULE: if being untestable we ask to outline what consequences this would
RULE: have for the given package. And let us be honest, even if you can
RULE: test you are never sure you will be able to catch all potential
RULE: regressions. So this is mostly to force self-awareness of the owning
RULE: team than to make a decision on.
TODO: - The package can not be well tested at build or autopkgtest time
TODO: because TBD. To make up for that:
TODO-A: - We have access to such hardware in the team
TODO-B: - We have allocated budget to get this hardware, but it is not here
TODO-B: yet
TODO-C: - We have checked with solutions-qa and will use their hardware
TODO-C: through testflinger
TODO-D: - We have checked with other team TBD and will use their hardware
TODO-D: through TBD (eg. MAAS)
TODO-E: - We have checked and found a simulator which covers this case
TODO-E: sufficiently for testing, our plan to use it is TBD
TODO-F: - We have engaged with the upstream community and due to that
TODO-F: can tests new package builds via TBD
TODO-G: - We have engaged with our user community and due to that
TODO-G: can tests new package builds via TBD
TODO-H: - We have engaged with the hardware manufacturer and made an
TODO-H: agreement to test new builds via TBD
TODO-A-H: - Based on that access outlined above, here are the details of the
TODO-A-H: test plan/automation TBD (e.g. script or repo) and (if already
TODO-A-H: possible) example output of a test run: TBD (logs).
TODO-A-H: We will execute that test plan
TODO-A-H1: on-uploads
TODO-A-H2: regularly (TBD details like frequency: monthly, infra: jira-url)
TODO-X: - We have exhausted all options, there really is no feasible way
TODO-X: to test or recreate this. We are aware of the extra implications
TODO-X: and duties this has for our team (= help SEG and security on
TODO-X: servicing this package, but also more effort on any of your own
TODO-X: bug triage and fixes).
TODO-X: Due to TBD there also is no way to provide this to users from
TODO-X: universe.
TODO-X: Due to the nature, integration and use cases of the package the
TODO-X: consequences of a regression that might slip through most likely
TODO-X: would include
TODO-X: - TBD
TODO-X: - TBD
TODO-X: - TBD
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/ |
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core: https://github.com/snapcore/core-initrd/
The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https://ubuntu.com/security/CVE-2016-8637 can disclose local information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
- https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
- https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
- https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
- /lib/systemd/system/dracut-cmdline.service
- /lib/systemd/system/dracut-initqueue.service
- /lib/systemd/system/dracut-mount.service
- /lib/systemd/system/dracut-pre-mount.service
- /lib/systemd/system/dracut-pre-pivot.service
- /lib/systemd/system/dracut-pre-trigger.service
- /lib/systemd/system/dracut-pre-udev.service
- /lib/systemd/system/dracut-shutdown-onfailure.service
- /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
- Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package does not run an autopkgtest, but I am working running the upstream test suite as autopkgtest (see bug #2031417).
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/ |
|
| 2023-08-16 12:43:29 |
Benjamin Drung |
description |
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core: https://github.com/snapcore/core-initrd/
The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https://ubuntu.com/security/CVE-2016-8637 can disclose local information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
- https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
- https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
- https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
- /lib/systemd/system/dracut-cmdline.service
- /lib/systemd/system/dracut-initqueue.service
- /lib/systemd/system/dracut-mount.service
- /lib/systemd/system/dracut-pre-mount.service
- /lib/systemd/system/dracut-pre-pivot.service
- /lib/systemd/system/dracut-pre-trigger.service
- /lib/systemd/system/dracut-pre-udev.service
- /lib/systemd/system/dracut-shutdown-onfailure.service
- /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
- Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package does not run an autopkgtest, but I am working running the upstream test suite as autopkgtest (see bug #2031417).
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/ |
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core: https://github.com/snapcore/core-initrd/
The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https://ubuntu.com/security/CVE-2016-8637 can disclose local information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
- https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
- https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
- https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
- /lib/systemd/system/dracut-cmdline.service
- /lib/systemd/system/dracut-initqueue.service
- /lib/systemd/system/dracut-mount.service
- /lib/systemd/system/dracut-pre-mount.service
- /lib/systemd/system/dracut-pre-pivot.service
- /lib/systemd/system/dracut-pre-trigger.service
- /lib/systemd/system/dracut-pre-udev.service
- /lib/systemd/system/dracut-shutdown-onfailure.service
- /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
- Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package runs an autopkgtest, and is currently passing on
amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
- I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/ |
|
| 2023-08-18 11:37:05 |
Christian Ehrhardt |
cve linked |
|
2015-0267 |
|
| 2023-08-21 05:25:15 |
Christian Ehrhardt |
dracut (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
Benjamin Drung (bdrung) |
|
| 2023-08-21 05:25:18 |
Christian Ehrhardt |
dracut (Ubuntu): status |
New |
Incomplete |
|
| 2023-08-22 15:36:11 |
Benjamin Drung |
dracut (Ubuntu): assignee |
Benjamin Drung (bdrung) |
|
|
| 2023-08-22 15:36:13 |
Benjamin Drung |
dracut (Ubuntu): status |
Incomplete |
New |
|
| 2023-08-23 11:04:00 |
Christian Ehrhardt |
dracut (Ubuntu): status |
New |
In Progress |
|
| 2023-08-23 11:04:05 |
Christian Ehrhardt |
dracut (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2023-08-23 11:57:20 |
Christian Ehrhardt |
dracut (Ubuntu): assignee |
|
Ubuntu Security Team (ubuntu-security) |
|
| 2023-09-08 02:32:03 |
Nishit Majithia |
cve linked |
|
2010-4176 |
|
| 2023-09-08 02:32:03 |
Nishit Majithia |
cve linked |
|
2012-4453 |
|
| 2023-09-08 02:32:03 |
Nishit Majithia |
cve linked |
|
2015-0794 |
|
| 2023-09-08 02:32:03 |
Nishit Majithia |
cve linked |
|
2016-8637 |
|
| 2023-09-08 02:32:10 |
Nishit Majithia |
dracut (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2023-09-08 02:32:26 |
Nishit Majithia |
bug |
|
|
added subscriber Nishit Majithia |
