Ubuntu
ipmitool package

[MIR] ipmitool

Bug #1576812 reported by Steve Langasek
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cluster-glue (Ubuntu)
Fix Released
Undecided
Unassigned
ipmitool (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Availability: ipmitool is in universe in Precise, Trusty and Xenial.

Rationale: ipmitool is a new Recommends of cluster-glue, which is in Main. Additionally, ipmitool is a reasonably common program for systems management, and it makes some sense for it to be in Main.

Security: The security history for the ipmitool package is fairly quiet.

Reviewing CVEs for ipmitool, I found only one relevant one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4339 which was fixed in Debian.

ipmitool installs one binary to /usr/sbin:

/usr/sbin/ipmievd

and one corresponding service:

/etc/init.d/ipmievd
/lib/systemd/system/ipmievd.service

ipmievd itself is a logging daemon that transfer logs from a BMC to syslog and seems like a low exposure (accounting for the afore-mentioned CVE).

Quality assurance:

Installation of ipmitool results in an immediately working package. Site-specific options for accessing a BMC may be necessary, but are documented in the man-page.

No debconf questions are asked during installation.

https://bugs.launchpad.net/ubuntu/+source/ipmitool indicates no outstanding long-term bugs exist for ipmitool.

Debian's bug tracker implies no significant bugs exist, excepting possibly related to whether ipmievd should start by default (due to dependencies on particular kernel modules).
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ipmitool

The upstream bug tracker https://sourceforge.net/p/ipmitool/bugs/?source=navbar mostly contains feature requests.

ipmitool is well-maintained in Debian and Ubuntu.

ipmitool does not ship a test suite; any test suite it shipped would also have strict hardware dependencies, I think.

ipmitool uses a debian/watch file and uscan/uupdate function currently.

I am not sure that the end-user application (ipmitool itself) has been internationalized yet. Nor does there appear to be a desktop file, but ipmitool would primarily be used on servers.

Dependencies:

All build and binary dependencies (including Recommends:) are satisfyable in main.

Standards compliance: The package meets the FHS and Debian Policy standards.

Maintenance: The Ubuntu Server team will maintain this package.

Background information:

The package descriptions correctly explain the general purpose and context of the package.

== Original report ==

cluster-glue has added a recommends: against ipmitool, currently in universe. This looks to me like a reasonable thing to have in main, but needs to go through the MIR process.

cluster-glue is owned by the server team.

See original description

Related branches

~paelzer/ubuntu-seeds/+git/platform:prepare-to-drop-server-ship
James Page: Approve
Bryce Harrington: Approve
Canonical Server: Pending requested
Diff: 501 lines (+241/-122)
7 files modified
STRUCTURE (+5/-1)
live-common (+1/-1)
supported-hardware-server (+15/-0)
supported-landscape (+4/-0)
supported-misc-servers (+83/-120)
supported-openstack (+107/-0)
supported-sysadmin-server (+26/-0)

CVE References

Steve Langasek (vorlon)
Changed in ipmitool (Ubuntu):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
Steve Langasek (vorlon)
Changed in ipmitool (Ubuntu):
status: Incomplete → New
status: New → Incomplete
Nish Aravamudan (nacc)
description: updated
Changed in ipmitool (Ubuntu):
status: Incomplete → New
Michael Terry (mterry)
Changed in ipmitool (Ubuntu):
assignee: Ubuntu Server Team (ubuntu-server) → Jamie Strandboge (jdstrand)
Revision history for this message
Adam Conrad (adconrad) wrote :

It's probably worth noting (on this oddly-stalled MIR...) that, despite ipmitool being in universe, it would be a complete lie to claim that Canonical doesn't already support it. We've patched it quite heavily here and there for both paying customer and community bugs, we use it quite heavily internally, and recommend it often externally. The part where it's managed to continue living in universe is really just a side-effect of none of its dependencies making it to main until now, not an explicit statement of support.

Tyler Hicks (tyhicks)
Changed in ipmitool (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Probably the md5.c results from cppcheck are false positives. I haven't looked. Even with those discounted, it's noisier than usual.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The compilation logs are extremely messy. Of these warnings, 90% are security-relevant. This is much worse than usual.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On the one hand, ipmi usually works on segregated networks because the implementation of ipmi on baseband controllers and NICs are usually pretty poor, so the risks may be limited. On the other hand, the compilation warnings are telling a story of a project that might have been Good Enough fifteen years ago, but looks unloved today.

Ideally we wouldn't promote this to main until someone cleans up the warnings. The compiler is giving hundreds of concrete suggestions to improve the code quality.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

After considering the long list of compiler warnings:

Security team NAK for promoting ipmitool to main. It's simply speaking too risky for our team to take on in a formal capacity. Feel free to consider re-opening if upstream drastically reduces the compiler warnings.

Thanks

Changed in ipmitool (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Michael Terry (mterry)
Changed in ipmitool (Ubuntu):
status: New → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cluster-glue - 1.0.12-5ubuntu2

---------------
cluster-glue (1.0.12-5ubuntu2) zesty; urgency=medium

  * Drop ipmitool to Suggests, as it's only referenced in one plugin where
    the code already checks and warns if it's not installed (LP: #1576812)

 -- Adam Conrad <email address hidden> Mon, 10 Apr 2017 02:58:13 -0600

Changed in cluster-glue (Ubuntu):
status: New → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - someone tried upstream, but it wasn't merged https://github.com/ipmitool/ipmitool/issues/13
This effort would need to be re-started and driven to completion.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

It's a bit hard to follow the issue but I have the impression quite a lot of work has been done on upstream ipmitool. It'd probably be worth revisiting.

Thanks

Christian Ehrhardt  (paelzer)
tags: added: server-triage-discuss
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - CVE open and not (yet) released 1.8.19
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-5208.html

tags: removed: server-triage-discuss yakkety
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Back to incomplete for a re-eval but only after known CVEs and improvements (1.8.19) are released.

Changed in ipmitool (Ubuntu):
status: Won't Fix → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

With the ipmi* support in some of the HA components it might be time to re-evaluate it.

tags: added: server-todo
Christian Ehrhardt  (paelzer)
tags: removed: server-todo
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Just an FYI, this MIR effort was re-evaluated in 2022 in bug 1978144.
The TL;DR result - better than before but still not good enough to be promoted to main.

Changed in ipmitool (Ubuntu):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.