[MIR] iwd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iwd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package iwd is already in Ubuntu universe.
The package iwd build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https:/
[Rationale]
- The package iwd is required in Ubuntu main to replace wpa as our default wireless service
- The package iwd is required in Ubuntu main no later than aug 25 due to feature freeze
[Security]
- Had 5 security issues in the past
- http://
- http://
- http://
- https:/
- https:/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install a service as /lib/systemd/
Which has the following security features: PrivateTmp=true, NoNewPrivileges
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has a few bugs reported but nothing critical
- Ubuntu https:/
- Debian https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https:/
- The package runs an autopkgtest, and is currently passing on
amd64 arm64 armhf s390x ppc64el, https:/
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- The package has no important lintian warnings
iwd-1.27# lintian --pedantic
W: iwd source: mismatched-override missing-
W: iwd source: mismatched-override missing-
W: iwd source: mismatched-override missing-
W: iwd source: mismatched-override ... use --no-tag-
W: iwd source: missing-
W: iwd source: missing-
W: iwd source: missing-
W: iwd source: missing-
W: iwd source: missing-
W: iwd source: missing-
W: iwd source: orig-tarball-
W: iwd source: superfluous-
W: iwd source: superfluous-
W: iwd source: superfluous-
P: iwd source: very-long-
P: iwd source: very-long-
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at https:/
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- desktop-packages is not yet, but will subscribe to the package before promotion
- This does not use static builds
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is iwd
Link to upstream project https:/
CVE References
Changed in iwd (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
tags: | added: sec-1040 |
Changed in iwd (Ubuntu): | |
status: | Incomplete → In Progress |
assignee: | Ubuntu Security Team (ubuntu-security) → Camila Camargo de Matos (ccdm94) |
Review for Package: src:iwd
[Summary]
iwd (iNet Wireless Daemon) is a modern, up-and-coming wireless daemon for Linux. It is written by Intel and aims to replace wpa_supplicant for potential benefits in:
- simplification of network management
- faster network discovery
- fast and reliable roaming
- using less system resources
- using features offered by the Linux kernel
- support for enterprise security methods like EAP
- support for kernel asymmetric key rings and trusted platform modules (TPM)
- support for multiple clients
The package is in pretty good shape overall and has been discussed as a replacement for src:wpa since a long time ago (https:/ /discourse. ubuntu. com/t/call- for-testing- improved- wifi-via- iwd/17795, LP: #1872060 and others). It would be nice to have iwd in main as a replacement for wpa.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: iwd
Specific binary packages built, but NOT to be promoted to main: <None>
Notes:
- The MIR talks about replacing wpa with iwd, could you please specify the plan for this in more detail, e.g. can we demote src:wpa at the same time as promoting src:iwd?
- The src:iwd package contains an embedded source for "ell", but that is not being used during build.
Required TODOs:
#1: descibe how/when we will be able to demote src:wpa (wpa_supplicant)
#2: Remove src:iwd from the lto-disabled list: LP: #1956950
And fix the LTO build or put the workaround into the package directly.
#3: get src:ell MIR approved: LP: #1971738
Recommended TODOs: /bugs.debian. org/1007097 could be a problem
#4: The package should get a team bug subscriber before being promoted
#5: Double-check if https:/
#6: work with upstream/debian to avoid autoconf warnings during build
[Duplication]
There is src:wpa (wpa_supplicant) in main, providing similar functionallity. There are some reverse-depends that would need to be adopted, if wpa is demoted:
$ reverse-depends -c main src:wpa
Reverse-Recommends
* geoclue-2.0 (for wpasupplicant)
* network-manager (for wpasupplicant)
Reverse-Depends desktop- minimal [amd64 arm64 armhf ppc64el] desktop- raspi [arm64 armhf]
* ubuntu-desktop [amd64 arm64 armhf ppc64el]
* ubuntu-
* ubuntu-
* ubuntu-server-raspi [arm64 armhf]
Packages without architectures listed are reverse- dependencies in: amd64, arm64, armhf, ppc64el, s390x
[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- Depends on libell0, proposed for MIR: LP: #1971738
[Embedded sources and static linking]
OK:
- no static linking is used
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used (embedded "ell" is unused)
Problems: external- ell"
- embedded "ell" source present in ell/, but is not being used (d/rules specifies "--enable-
[Security]
OK:
- history of CVEs does not look concerning (two of t...