[MIR] fprintd

Bug #1745455 reported by Marco Trevisan (Treviño) on 2018-01-25
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fprintd (Ubuntu)
Undecided
Ubuntu Security Team

Bug Description

[Availability]

Already in universe, in sync with debian.

Built for all supported architectures.

[Rationale]

Ubuntu desktop team wants to enable fingerprint lockscreen unlock support by default in GNOME installations and this includes the daemon to which gnome-shell and gnome-control-center talk to (using DBus API) and the PAM library to enable that.

[Security]

No known security issues.

Bug 1532264 is the only security-related bug here, but this doesn't seem to be a real thing. Also it's all about distro management, nothing related to upstream project.

https://security-tracker.debian.org/tracker/source-package/fprintd
https://launchpad.net/fprintd/+cve

[Quality assurance]

- The Ubuntu Desktop bugs team is subscribed.

https://bugs.launchpad.net/ubuntu/+source/fprintd
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=fprintd
https://bugs.freedesktop.org/buglist.cgi?component=fprintd&product=libfprint

No upstream tests or autopkgtests.

[Dependencies]

libfprint. See MIR bug #1745454

[Standards compliance]

The package meets the FHS and Debian Policy standards (4.1.1)

[Maintenance]

- Actively developed upstream. Last release was 0.8.0 in September
https://cgit.freedesktop.org/libfprint/fprintd/log/

Didier Roche (didrocks) wrote :

Looks generally good, some small things I need to get some clarification on:

[ required ]
- There is some lintian warning on the policy file: dbus-policy-without-send-destination (fprintd binary package). Maybe worth either:
* Check for a fix with upstream
* Override it in lintian with rationale
- Any suggestion on https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1619329, which seems to touch multiple people and doesn't seem dealt with?

[ optional ]
- the package is using dh_install --fail-missing, which is good! It's deprecated though nowdays and should use dh_missing --fail-missing for listing missing files.

Otherwise, it looks good packaging and after a quick code scanning. I would like a security review ofc, due to the sensitivness of it.

Changed in fprintd (Ubuntu):
assignee: nobody → Canonical Security Team (canonical-security)
Seth Arnold (seth-arnold) wrote :

Could someone go through https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1532264 and decide if this package is intended for this use case? It's been ages but I think I had the impression this was a toy, not a tool.

Thanks

Seth, I've attached a debdiff to fix that, by changing the policykit setting.

Ah, and Seth... The tool has been the previous of the pam module, the one inside fprintd is not the newest, but still quite stable and does its job at my eyes (who have been through the code too)

Changed in fprintd (Ubuntu):
assignee: Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security)
Seth Arnold (seth-arnold) wrote :

Are these lintian messages fatal?

Unpacking sbuild-build-depends-lintian-dummy (0.invalid.0) ...
Setting up sbuild-build-depends-lintian-dummy (0.invalid.0) ...
E: fprintd changes: bad-distribution-in-changes-file unstable
W: fprintd source: vcs-deprecated-in-debian-infrastructure vcs-git https://anonscm.debian.org/git/fingerforce/fprintd.git
W: fprintd source: vcs-deprecated-in-debian-infrastructure vcs-browser https://anonscm.debian.org/cgit/fingerforce/fprintd.git/
W: fprintd: dbus-policy-without-send-destination etc/dbus-1/system.d/net.reactivated.Fprint.conf <policy context="default"><allow send_interface="net.reactivated.Fprint"/>

E: Lintian run failed (policy violation)

The bad-distribution line may be a result of this being an 'unstable' package, rather than an ubuntu package; anonscm lines may be Someone Else's Problem for a similar reason.

Is the dbus-policy-without-send-destination warning a real issue?

Thanks

Mh, I think it'd the case to address this, to avoid allowing services just implementing the interface. I'll look into this.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers