[Summary]
isc-kea is a DHCP (v4/v6) server replacement for the deprecated isc-dhcp. Kea
seems to be the logical path forward, but we need a migration path for all the
current consumers of isc-dhcp (Server & CLIENT!) and maybe also dnsmasq (to
consolidate all around Kea).
MIR team ACK under the constraint to resolve the below listed required
TODOs and as much as possible having a look at the recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: kea, kea-admin, kea-common, kea-ctrl-agent, kea-dev, kea-dhcp-ddns-server, kea-dhcp4-server, kea-dhcp6-server, kea-doc, python3-kea-connector
Specific binary packages built, but NOT to be promoted to main: None
Notes:
- We need a migration path for all the current consumers of isc-dhcp
(Server & CLIENT!) and maybe also dnsmasq (to consolidate all around Kea):
Required TODOs:
#0 State a plan of how to migrate the existing reverse-deps from
isc-dhcp/dnsmasq. When will we be able to demote isc-dhcp & dnsmasq?
#1 resolve src:log4cplus MIR (LP: #2003549)
#2 avoid pulling in external Mathjax Javascript via kea-docs
(hooks.html & umls.html via https://cdn.jsdelivr.net)
#3 provide DEP3-autopkgtests (LP: #1863102)
#4 update to most recent version (LP: #1023018, Debian #1023018)
#5 implement symbols tracking for all the .so libraries shipped by kea-common
#6 fix important (wrt. security) /tmp sockets bug (LP: #1863100, Debian: #1014929)
Recommended TODOs:
#7 work with upstream to resolve buildtime warnings (-Wdeprecated-declarations,
-Warray-bounds, -Wstringop-overread, -Wodr, -Wlto-type-mismatch,
LD_LIBRARY_PATH) => see below
#8 double check embedded sources (ext/{coroutine,gtest},
src/lib/{asiodns,asiolink,cryptolink,util}) => seems intentional
and/or minimal (i.e. not shipped by another package in the archive)
#9 double-check build-time unit tests, dh_auto_test seems to skip most
#10 Fix some lintian warnings (see below):
W: kea-dev: package-name-defined-in-config-h (Debian #733598)
W: kea-doc: privacy-breach-generic [*.html]
I: kea-admin: hardening-no-fortify-functions [*.so]
I: kea-common: no-symbols-control-file [*.so]
X: kea-dhcp4-server: systemd-service-file-missing-hardening-features [*.service]
Problems:
- What is the migration path to reduce the set of supported packages (especially
isc-dhcp and dnsmasq)?
- Kea should probably replace src:isc-dhcp, but how do we replace the
isc-dhcp-client component?
[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- other Dependencies to MIR due to this:
* The kea-common binary shows a dependency on liblog4cplus-2.0.5 (src:log4cplus) via the liblog4cplus-dev build-dependency (bug #2003549)
[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
[Security]
OK:
- history of CVEs does not look concerning (upstream is handling them properly)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems:
- does integrate arbitrary javascript into the desktop:
kea-doc: usr/share/doc/kea/html/arm/hooks.html & usr/share/doc/kea/html/umls.html ship external MathjaxJS from https://cdn.jsdelivr.net
- does run a daemon as root
- does parse data formats (network packets) from an untrusted source
- does not open a port/socket
- does deal with cryptography (--with-openssl in d/rules)
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency
Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- many unit-tests seem to be skipped?
Most tests/ directories log something like this during dh_auto_test:
==================
All 0 tests passed
==================
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- d/rules is rather clean
- It is not on the lto-disabled list
Problems:
- the current release is not packaged (2.2.0 -> 2.3.3, about 6 months behind,
see Debian #1023018)
- symbols tracking is not in place: kea-common/kea-dev is shipping a bunch of
public ".so" libraries and their corresponding symlinks, with not symbols
tracking in place
- Lintian warnings:
W: kea-dev: package-name-defined-in-config-h usr/include/kea/config.h (Debian #733598)
W: kea-doc: privacy-breach-generic [<script async="async" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js">] (https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js) [usr/share/doc/kea/html/arm/*.html]
I: kea-admin: hardening-no-fortify-functions [*.so]
I: kea-common: no-symbols-control-file [*.so]
X: kea-dhcp4-server: systemd-service-file-missing-hardening-features [*.service]
[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems:
- some bug reports of interest:
* https://pad.lv/1863100 (/tmp sockets, seems security relevant, also Debian #1014929)
* https://pad.lv/1863102 (DEP-3 autopkgtests)
* https://bugs.debian.org/1023018 (new upstream version)
- use of LD_LIBRARY_PATH (see src/share/yang/modules/utils/reinstall.sh.in and Changelog)
- Warnings during the build:
* encode/base_n.cc:115:33: warning: ‘template<class _Category, class _Tp, class _Distance, class _Pointer, class _Reference> struct std::iterator’ is deprecated [-Wdeprecated-declarations]
* /usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 6 is out of the bounds [0, 6] [-Warray-bounds]
* /usr/include/c++/12/bits/stl_algobase.h:431:30: warning: '__builtin_memcpy' reading 1 or more bytes from a region of size 0 [-Wstringop-overread]
* ../../../src/bin/dhcp4/parser_context.h:35:7: warning: type 'struct Parser4Context' violates the C++ One Definition Rule [-Wodr]
* ../../../src/bin/dhcp4/parser_context.h:114:10: warning: type of 'scanFileBegin' does not match original declaration [-Wlto-type-mismatch]
Review for Package: src:isc-kea
[Summary]
isc-kea is a DHCP (v4/v6) server replacement for the deprecated isc-dhcp. Kea
seems to be the logical path forward, but we need a migration path for all the
current consumers of isc-dhcp (Server & CLIENT!) and maybe also dnsmasq (to
consolidate all around Kea).
MIR team ACK under the constraint to resolve the below listed required
TODOs and as much as possible having a look at the recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: kea, kea-admin, kea-common, kea-ctrl-agent, kea-dev, kea-dhcp- ddns-server, kea-dhcp4-server, kea-dhcp6-server, kea-doc, python3- kea-connector
Specific binary packages built, but NOT to be promoted to main: None
Notes:
- We need a migration path for all the current consumers of isc-dhcp
(Server & CLIENT!) and maybe also dnsmasq (to consolidate all around Kea):
$ reverse-depends src:isc-dhcp -c main
Reverse-Recommends
* avahi-autoipd (for isc-dhcp-client)
Reverse-Depends
* cloud-init (for isc-dhcp-client)
* network-manager [amd64 arm64 armhf ppc64el s390x]
* ubuntu-minimal [amd64 arm64 armhf ppc64el s390x]
* walinuxagent [amd64 arm64] (for isc-dhcp-client)
$ reverse-depends src:dnsmasq -c main daemon- system [amd64 arm64 armhf ppc64el s390x]
Reverse-Recommends
* libvirt-
* network-manager [amd64 arm64 armhf ppc64el s390x]
Reverse-Depends
* neutron-dhcp-agent (for dnsmasq-utils)
* neutron-dhcp-agent (for dnsmasq-base)
Required TODOs: dhcp/dnsmasq. When will we be able to demote isc-dhcp & dnsmasq? /cdn.jsdelivr. net)
#0 State a plan of how to migrate the existing reverse-deps from
isc-
#1 resolve src:log4cplus MIR (LP: #2003549)
#2 avoid pulling in external Mathjax Javascript via kea-docs
(hooks.html & umls.html via https:/
#3 provide DEP3-autopkgtests (LP: #1863102)
#4 update to most recent version (LP: #1023018, Debian #1023018)
#5 implement symbols tracking for all the .so libraries shipped by kea-common
#6 fix important (wrt. security) /tmp sockets bug (LP: #1863100, Debian: #1014929)
Recommended TODOs: declarations, overread, -Wodr, -Wlto-type- mismatch, ,gtest} , lib/{asiodns, asiolink, cryptolink, util}) => seems intentional name-defined- in-config- h (Debian #733598) breach- generic [*.html] no-fortify- functions [*.so] control- file [*.so] service- file-missing- hardening- features [*.service]
#7 work with upstream to resolve buildtime warnings (-Wdeprecated-
-Warray-bounds, -Wstringop-
LD_LIBRARY_PATH) => see below
#8 double check embedded sources (ext/{coroutine
src/
and/or minimal (i.e. not shipped by another package in the archive)
#9 double-check build-time unit tests, dh_auto_test seems to skip most
#10 Fix some lintian warnings (see below):
W: kea-dev: package-
W: kea-doc: privacy-
I: kea-admin: hardening-
I: kea-common: no-symbols-
X: kea-dhcp4-server: systemd-
======= ======= ======= ======= ======= ======= === ======= ======= ======= ======= ======= ===
= DETAILS
=======
[Duplication] /pad.lv/ u/isc-dhcp [main] /pad.lv/ u/dnsmasq [main] /pad.lv/ u/busybox (udhcpd) [main / universe] /pad.lv/ u/dibbler [universe] /pad.lv/ u/wide- dhcpv6 [universe] /pad.lv/ u/bootp [universe]
There are other packages in main providing the same functionality and even more
in universe:
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
Problems:
- What is the migration path to reduce the set of supported packages (especially
isc-dhcp and dnsmasq)?
- Kea should probably replace src:isc-dhcp, but how do we replace the
isc-dhcp-client component?
[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- other Dependencies to MIR due to this:
* The kea-common binary shows a dependency on liblog4cplus-2.0.5 (src:log4cplus) via the liblog4cplus-dev build-dependency (bug #2003549)
[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems:
- embedded source present:
ext/coroutine/
ext/gtest/
src/lib/asiodns/
src/lib/asiolink/
src/lib/cryptolink/
src/lib/util/
[Security]
OK:
- history of CVEs does not look concerning (upstream is handling them properly)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems: doc/kea/ html/arm/ hooks.html & usr/share/ doc/kea/ html/umls. html ship external MathjaxJS from https:/ /cdn.jsdelivr. net
- does integrate arbitrary javascript into the desktop:
kea-doc: usr/share/
- does run a daemon as root
- does parse data formats (network packets) from an untrusted source
- does not open a port/socket
- does deal with cryptography (--with-openssl in d/rules)
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency
Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- many unit-tests seem to be skipped?
Most tests/ directories log something like this during dh_auto_test:
==================
All 0 tests passed
==================
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- d/rules is rather clean
- It is not on the lto-disabled list
Problems: name-defined- in-config- h usr/include/ kea/config. h (Debian #733598) breach- generic [<script async="async" src="https:/ /cdn.jsdelivr. net/npm/ mathjax@ 3/es5/tex- mml-chtml. js">] (https:/ /cdn.jsdelivr. net/npm/ mathjax@ 3/es5/tex- mml-chtml. js) [usr/share/ doc/kea/ html/arm/ *.html] no-fortify- functions [*.so] control- file [*.so] service- file-missing- hardening- features [*.service]
- the current release is not packaged (2.2.0 -> 2.3.3, about 6 months behind,
see Debian #1023018)
- symbols tracking is not in place: kea-common/kea-dev is shipping a bunch of
public ".so" libraries and their corresponding symlinks, with not symbols
tracking in place
- Lintian warnings:
W: kea-dev: package-
W: kea-doc: privacy-
I: kea-admin: hardening-
I: kea-common: no-symbols-
X: kea-dhcp4-server: systemd-
[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems: /pad.lv/ 1863100 (/tmp sockets, seems security relevant, also Debian #1014929) /pad.lv/ 1863102 (DEP-3 autopkgtests) /bugs.debian. org/1023018 (new upstream version) yang/modules/ utils/reinstall .sh.in and Changelog) base_n. cc:115: 33: warning: ‘template<class _Category, class _Tp, class _Distance, class _Pointer, class _Reference> struct std::iterator’ is deprecated [-Wdeprecated- declarations] c++/12/ bits/stl_ algobase. h:431:30: warning: ‘memcpy’ offset 6 is out of the bounds [0, 6] [-Warray-bounds] c++/12/ bits/stl_ algobase. h:431:30: warning: '__builtin_memcpy' reading 1 or more bytes from a region of size 0 [-Wstringop- overread] ./src/bin/ dhcp4/parser_ context. h:35:7: warning: type 'struct Parser4Context' violates the C++ One Definition Rule [-Wodr] ./src/bin/ dhcp4/parser_ context. h:114:10: warning: type of 'scanFileBegin' does not match original declaration [-Wlto- type-mismatch]
- some bug reports of interest:
* https:/
* https:/
* https:/
- use of LD_LIBRARY_PATH (see src/share/
- Warnings during the build:
* encode/
* /usr/include/
* /usr/include/
* ../../.
* ../../.