[MIR] ipmitool

Bug #1576812 reported by Steve Langasek on 2016-04-29
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cluster-glue (Ubuntu)
Undecided
Unassigned
ipmitool (Ubuntu)
Undecided
Unassigned

Bug Description

Availability: ipmitool is in universe in Precise, Trusty and Xenial.

Rationale: ipmitool is a new Recommends of cluster-glue, which is in Main. Additionally, ipmitool is a reasonably common program for systems management, and it makes some sense for it to be in Main.

Security: The security history for the ipmitool package is fairly quiet.

Reviewing CVEs for ipmitool, I found only one relevant one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4339 which was fixed in Debian.

ipmitool installs one binary to /usr/sbin:

/usr/sbin/ipmievd

and one corresponding service:

/etc/init.d/ipmievd
/lib/systemd/system/ipmievd.service

ipmievd itself is a logging daemon that transfer logs from a BMC to syslog and seems like a low exposure (accounting for the afore-mentioned CVE).

Quality assurance:

Installation of ipmitool results in an immediately working package. Site-specific options for accessing a BMC may be necessary, but are documented in the man-page.

No debconf questions are asked during installation.

https://bugs.launchpad.net/ubuntu/+source/ipmitool indicates no outstanding long-term bugs exist for ipmitool.

Debian's bug tracker implies no significant bugs exist, excepting possibly related to whether ipmievd should start by default (due to dependencies on particular kernel modules).
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ipmitool

The upstream bug tracker https://sourceforge.net/p/ipmitool/bugs/?source=navbar mostly contains feature requests.

ipmitool is well-maintained in Debian and Ubuntu.

ipmitool does not ship a test suite; any test suite it shipped would also have strict hardware dependencies, I think.

ipmitool uses a debian/watch file and uscan/uupdate function currently.

I am not sure that the end-user application (ipmitool itself) has been internationalized yet. Nor does there appear to be a desktop file, but ipmitool would primarily be used on servers.

Dependencies:

All build and binary dependencies (including Recommends:) are satisfyable in main.

Standards compliance: The package meets the FHS and Debian Policy standards.

Maintenance: The Ubuntu Server team will maintain this package.

Background information:

The package descriptions correctly explain the general purpose and context of the package.

== Original report ==

cluster-glue has added a recommends: against ipmitool, currently in universe. This looks to me like a reasonable thing to have in main, but needs to go through the MIR process.

cluster-glue is owned by the server team.

Steve Langasek (vorlon) on 2016-04-29
Changed in ipmitool (Ubuntu):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
Steve Langasek (vorlon) on 2016-04-29
Changed in ipmitool (Ubuntu):
status: Incomplete → New
status: New → Incomplete
Nish Aravamudan (nacc) on 2016-07-06
description: updated
Changed in ipmitool (Ubuntu):
status: Incomplete → New
Michael Terry (mterry) on 2016-07-06
Changed in ipmitool (Ubuntu):
assignee: Ubuntu Server Team (ubuntu-server) → Jamie Strandboge (jdstrand)
Adam Conrad (adconrad) wrote :

It's probably worth noting (on this oddly-stalled MIR...) that, despite ipmitool being in universe, it would be a complete lie to claim that Canonical doesn't already support it. We've patched it quite heavily here and there for both paying customer and community bugs, we use it quite heavily internally, and recommend it often externally. The part where it's managed to continue living in universe is really just a side-effect of none of its dependencies making it to main until now, not an explicit statement of support.

Tyler Hicks (tyhicks) on 2016-08-30
Changed in ipmitool (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security)
Seth Arnold (seth-arnold) wrote :

Probably the md5.c results from cppcheck are false positives. I haven't looked. Even with those discounted, it's noisier than usual.

Seth Arnold (seth-arnold) wrote :

The compilation logs are extremely messy. Of these warnings, 90% are security-relevant. This is much worse than usual.

Thanks

Seth Arnold (seth-arnold) wrote :

On the one hand, ipmi usually works on segregated networks because the implementation of ipmi on baseband controllers and NICs are usually pretty poor, so the risks may be limited. On the other hand, the compilation warnings are telling a story of a project that might have been Good Enough fifteen years ago, but looks unloved today.

Ideally we wouldn't promote this to main until someone cleans up the warnings. The compiler is giving hundreds of concrete suggestions to improve the code quality.

Thanks

Seth Arnold (seth-arnold) wrote :

After considering the long list of compiler warnings:

Security team NAK for promoting ipmitool to main. It's simply speaking too risky for our team to take on in a formal capacity. Feel free to consider re-opening if upstream drastically reduces the compiler warnings.

Thanks

Changed in ipmitool (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Michael Terry (mterry) on 2017-01-09
Changed in ipmitool (Ubuntu):
status: New → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cluster-glue - 1.0.12-5ubuntu2

---------------
cluster-glue (1.0.12-5ubuntu2) zesty; urgency=medium

  * Drop ipmitool to Suggests, as it's only referenced in one plugin where
    the code already checks and warns if it's not installed (LP: #1576812)

 -- Adam Conrad <email address hidden> Mon, 10 Apr 2017 02:58:13 -0600

Changed in cluster-glue (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers