I reviewed gnome-remote-desktop 0.1.7-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. gnome-remote-desktop is a remote desktop daemon for GNOME using VNC with pipewire. It is suppose to work with both X and Wayland. - No CVEs. Also Examined the git histories at both * https://gitlab.gnome.org/jadahl/gnome-remote-desktop * https://salsa.debian.org/gnome-team/gnome-remote-desktop - Build-Depends: debhelper (>= 11), gnome-pkg-tools, libglib2.0-dev, libnotify-dev, libpipewire-0.2-dev, libsecret-1-dev, libvncserver-dev, meson (>= 0.36.0) **Note: Uses meson build system - No Debian pre/post inst/rm scripts. However, there is a meson_post_install.py script that appears to compile gsettings schemas. - No init scripts. - There is a systemd service unit file installed in /usr/lib/systemd/user directory. It is used to start the daemon. - Appears to use glib bindings for dbus. Uses introspection data format and is used for both screen casting and remote desktop. The remote desktop uses dbus to, create, start, and stop remote desktop sessions. Notifications for pointer button motions and whether pressed. Notification if a key identified by a keysym was pressed. - Remote desktop driven screen casts are started and stopped by the remote desktop session using dbus. Also uses dbus to record a monitor during the screen cast. - No setuid/setgid binaries nor in the code. - Nothing added to PATH. - No sudo fragments. - No udev rules. - No testcases. However, when I looked upstream, a few have been added. https://gitlab.gnome.org/jadahl/gnome-remote-desktop/tree/master/tests - No cron jobs. - Build logs showed a successful build, but there were following warnings: Binary packages built successfully but there was the following warning(s): dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:NextVersion} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:Version} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:NextVersion} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:Version} unused, but is defined -Error during source build: dh clean --with gnome --buildsystem=meson dh: Sorry, but 10 is the highest compatibility level supported by this debhelper. debian/rules:7: recipe for target 'clean' failed make: *** [clean] Error 25 dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2 debuild: fatal error at line 1376: dpkg-buildpackage -rfakeroot -d -us -uc -S failed FAIL - No spawned processes. - Memory management uses quite a bit of glib memory mgmt calls. They all seen to be used ok. - No File IO issues. - Logging uses glib logging and looks ok. - Environment variable usage looks ok and only one is used to enable debugging. - No privileged functions. - This app uses libsecret for password storage and lookup. Calls into libsecret to get and store encrypted passwords. Uses libvncserver to encrypt keys for storage. Uses 3DES encryption algo. encrypts user password and then compares it with the stored one to validate. - No temp files. - For networking, uses libpipewire for data transfer when doing screen casting. Using glib calls, vnc server listens on a socket|port for all interfaces. It seems to handle only one session an on the listening socket. Could not get it to work to test that out. The socket handling seems ok. - Does not use WebKit - Does not seem to use PolicyKit - Clean cppcheck MISC NOTES Authentication seems to be permitted in 1 of 2 ways: 1. password authentication 2. prompting - that is user is alerted that someone wants to connect and whether they will give permission or not. The hardening-check tool reported, Fortify Source functions: no, only unprotected functions found! The old Free Software Foundation address is used in many of the source files. A lintian warning about debian/control W: gnome-remote-desktop source: newer-standards-version 4.3.0 (current is 3.9.7) (but googling reported latest version is 4.3.0.3) The debian/control has following sentence in it, "This feature will not work on Ubuntu until mutter is recompiled with the remote desktop option enabled." Security team ACK only on condition that it works, and help preparing updates and testing.