[MIR] ell
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ell (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
[Availability]
The package ell is already in Ubuntu universe.
The package ell build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https:/
[Rationale]
- The package ell is required in Ubuntu main as a depends of iwd which it is going to replace wpa as our default wireless daemon
- The package ell is required in Ubuntu main no later than aug 25 due to feature freeze
[Security]
- Had 1 security issues in the past
- http://
- https:/
which is marked as needs triage in Ubuntu
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no open reports
- Ubuntu https:/
- Debian https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https:/
=======
Testsuite summary for ell 0.50
=======
# TOTAL: 40
# PASS: 40
- The package does not run an autopkgtest, patch submitted to Debian to add one https:/
and added to Ubuntu now
https:/
[Quality assurance - packaging]
- debian/watch is present and works
- Lintian has only minor warnings, https:/
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
- Packaging and build is easy, link to d/rules https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- desktop-packages is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- The package has been built in the archive more recently than the last test rebuild
[Background information]
The Package description explains the package well
Upstream Name is ell
Link to upstream project https:/
CVE References
description: | updated |
Changed in ell (Ubuntu): | |
importance: | Undecided → High |
Changed in ell (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in ell (Ubuntu): | |
milestone: | none → ubuntu-22.08 |
tags: | added: sec-1041 |
Changed in ell (Ubuntu): | |
status: | New → In Progress |
assignee: | Ubuntu Security Team (ubuntu-security) → Camila Camargo de Matos (ccdm94) |
Review for Package: ell
[Summary]
It replicates functionality that exists otherwise, but in a scope that
we do not have in an alternate form. Other than that it seems to be
nice and trimmed to just the function it is advertising.
=> MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: ell
Specific binary packages built, but NOT to be promoted to main: <none>
Required TODOs:
- none
Recommended TODOs:
- none
[Duplication]
Well - the whole base system system is what is duplicated in this library.
dhcp requests, icmp handling, tls, netlink, ... many more things that a base
system would do are essentially re-implemented as a library (instead of
independent tools/services) here. That is some duplication, but it is done
in a way to provide those as a lib/binding interface as used by IWD.
And in that use-case/context there is no duplication in Ubuntu main yet.
Problems: None
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- -dev package will be auto-promoted but also has sane dependencies
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present (just a kernel header for gpio)
- no static linking
One common way to use ell is static linking, but nowadays it does allow
to be a dynamic lib and that is how it e.g. is used from iwd
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning (unless we consider having none
as concerning since the functionality it covers usually has CVEs)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems:
- does parse data formats (most of the functions interact with some remote
component)
- does open a port/socket (for some functions)
- While not having CVEs yet, in general this covers a lot of things like dhcp,
dbus or many others that are known to be epxloited in other places. So the
assumption should be that there is a reasonable attack surface here as well.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- No need for special HW to test
- no new python2 dependency
Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- a non-trivial test on this level does not make sense (the lib alone
is only doing rather simple things), but there is an autopkgtest in iwd
which is the context that pulls this into main.
I think there is no strong need to require or recommend to add an
autopkgtest on this level as well.
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is presen...