Comment 2 for bug 2002861

Review for Package: src:isc-kea

[Summary]
isc-kea is a DHCP (v4/v6) server replacement for the deprecated isc-dhcp. Kea
seems to be the logical path forward, but we need a migration path for all the
current consumers of isc-dhcp (Server & CLIENT!) and maybe also dnsmasq (to
consolidate all around Kea).

MIR team ACK under the constraint to resolve the below listed required
TODOs and as much as possible having a look at the recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: kea, kea-admin, kea-common, kea-ctrl-agent, kea-dev, kea-dhcp-ddns-server, kea-dhcp4-server, kea-dhcp6-server, kea-doc, python3-kea-connector
Specific binary packages built, but NOT to be promoted to main: None

Notes:
- We need a migration path for all the current consumers of isc-dhcp
(Server & CLIENT!) and maybe also dnsmasq (to consolidate all around Kea):

$ reverse-depends src:isc-dhcp -c main
Reverse-Recommends
* avahi-autoipd (for isc-dhcp-client)
Reverse-Depends
* cloud-init (for isc-dhcp-client)
* network-manager [amd64 arm64 armhf ppc64el s390x]
* ubuntu-minimal [amd64 arm64 armhf ppc64el s390x]
* walinuxagent [amd64 arm64] (for isc-dhcp-client)

$ reverse-depends src:dnsmasq -c main
Reverse-Recommends
* libvirt-daemon-system [amd64 arm64 armhf ppc64el s390x]
* network-manager [amd64 arm64 armhf ppc64el s390x]
Reverse-Depends
* neutron-dhcp-agent (for dnsmasq-utils)
* neutron-dhcp-agent (for dnsmasq-base)

Required TODOs:
#0 State a plan of how to migrate the existing reverse-deps from
   isc-dhcp/dnsmasq. When will we be able to demote isc-dhcp & dnsmasq?
#1 resolve src:log4cplus MIR (LP: #2003549)
#2 avoid pulling in external Mathjax Javascript via kea-docs
   (hooks.html & umls.html via https://cdn.jsdelivr.net)
#3 provide DEP3-autopkgtests (LP: #1863102)
#4 update to most recent version (LP: #1023018, Debian #1023018)
#5 implement symbols tracking for all the .so libraries shipped by kea-common
#6 fix important (wrt. security) /tmp sockets bug (LP: #1863100, Debian: #1014929)

Recommended TODOs:
#7 work with upstream to resolve buildtime warnings (-Wdeprecated-declarations,
   -Warray-bounds, -Wstringop-overread, -Wodr, -Wlto-type-mismatch,
   LD_LIBRARY_PATH) => see below
#8 double check embedded sources (ext/{coroutine,gtest},
   src/lib/{asiodns,asiolink,cryptolink,util}) => seems intentional
   and/or minimal (i.e. not shipped by another package in the archive)
#9 double-check build-time unit tests, dh_auto_test seems to skip most
#10 Fix some lintian warnings (see below):
W: kea-dev: package-name-defined-in-config-h (Debian #733598)
W: kea-doc: privacy-breach-generic [*.html]
I: kea-admin: hardening-no-fortify-functions [*.so]
I: kea-common: no-symbols-control-file [*.so]
X: kea-dhcp4-server: systemd-service-file-missing-hardening-features [*.service]

=============================================
= DETAILS
=============================================

[Duplication]
There are other packages in main providing the same functionality and even more
in universe:
- https://pad.lv/u/isc-dhcp [main]
- https://pad.lv/u/dnsmasq [main]
- https://pad.lv/u/busybox (udhcpd) [main / universe]
- https://pad.lv/u/dibbler [universe]
- https://pad.lv/u/wide-dhcpv6 [universe]
- https://pad.lv/u/bootp [universe]

Problems:
- What is the migration path to reduce the set of supported packages (especially
isc-dhcp and dnsmasq)?
- Kea should probably replace src:isc-dhcp, but how do we replace the
isc-dhcp-client component?

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- other Dependencies to MIR due to this:
  * The kea-common binary shows a dependency on liblog4cplus-2.0.5 (src:log4cplus) via the liblog4cplus-dev build-dependency (bug #2003549)

[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems:
- embedded source present:
ext/coroutine/
ext/gtest/
src/lib/asiodns/
src/lib/asiolink/
src/lib/cryptolink/
src/lib/util/

[Security]
OK:
- history of CVEs does not look concerning (upstream is handling them properly)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does integrate arbitrary javascript into the desktop:
kea-doc: usr/share/doc/kea/html/arm/hooks.html & usr/share/doc/kea/html/umls.html ship external MathjaxJS from https://cdn.jsdelivr.net
- does run a daemon as root
- does parse data formats (network packets) from an untrusted source
- does not open a port/socket
- does deal with cryptography (--with-openssl in d/rules)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- many unit-tests seem to be skipped?
Most tests/ directories log something like this during dh_auto_test:
==================
All 0 tests passed
==================

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- d/rules is rather clean
- It is not on the lto-disabled list

 Problems:
- the current release is not packaged (2.2.0 -> 2.3.3, about 6 months behind,
see Debian #1023018)
- symbols tracking is not in place: kea-common/kea-dev is shipping a bunch of
public ".so" libraries and their corresponding symlinks, with not symbols
tracking in place
- Lintian warnings:
W: kea-dev: package-name-defined-in-config-h usr/include/kea/config.h (Debian #733598)
W: kea-doc: privacy-breach-generic [<script async="async" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js">] (https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js) [usr/share/doc/kea/html/arm/*.html]
I: kea-admin: hardening-no-fortify-functions [*.so]
I: kea-common: no-symbols-control-file [*.so]
X: kea-dhcp4-server: systemd-service-file-missing-hardening-features [*.service]

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems:
- some bug reports of interest:
* https://pad.lv/1863100 (/tmp sockets, seems security relevant, also Debian #1014929)
* https://pad.lv/1863102 (DEP-3 autopkgtests)
* https://bugs.debian.org/1023018 (new upstream version)
- use of LD_LIBRARY_PATH (see src/share/yang/modules/utils/reinstall.sh.in and Changelog)
- Warnings during the build:
* encode/base_n.cc:115:33: warning: ‘template<class _Category, class _Tp, class _Distance, class _Pointer, class _Reference> struct std::iterator’ is deprecated [-Wdeprecated-declarations]
* /usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 6 is out of the bounds [0, 6] [-Warray-bounds]
* /usr/include/c++/12/bits/stl_algobase.h:431:30: warning: '__builtin_memcpy' reading 1 or more bytes from a region of size 0 [-Wstringop-overread]
* ../../../src/bin/dhcp4/parser_context.h:35:7: warning: type 'struct Parser4Context' violates the C++ One Definition Rule [-Wodr]
* ../../../src/bin/dhcp4/parser_context.h:114:10: warning: type of 'scanFileBegin' does not match original declaration [-Wlto-type-mismatch]