[MIR] libcryptx-perl (libmail-dkim-perl dependency)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libcryptx-perl (Ubuntu) |
New
|
Undecided
|
Miriam España Acebal |
Bug Description
[MIR] libcryptx-perl (libmail-dkim-perl dependency)
Package: libcryptx-perl
[Availability]
The package libcryptx-perl is already in Ubuntu universe.
The package libcryptx-perl build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x (any)
Link to package https:/
[Rationale]
The package libcryptx-perl is required in Ubuntu main for libmail-dkim-perl .
The package libcryptx-perl will not generally be useful for a large part of
our user base, but is important/helpful still because is required as runtime dependency by libmail-dkim-perl that is already in main.
libmail-dkim-perl it's a perl module to cryptographically identify the sender of email (implementing the new Domain Keys Identified Mail (DKIM)), used by spamassassin and amavisd-new. The following changes have been added to libmail-dkim-perl since the version we have released in noble:
1.20230911 2023-09-11 UTC
* Option to add custom tags to generated ARC signatures and seals
1.20230630 2023-06-30 UTC
* Add support for Ed25519 signature types
Thanks to Matthäus Wander @mwander
* Option to add custom tags to generated signatures
the 'Add support for Ed25519' is the one that requires the use of Crypt::PK::Ed25519, provided by the libcryptx-perl package.
Apparently, no other packages provide similar functionality:
root@Nlib-
libcryptx-perl: /usr/lib/
libcryptx-perl: /usr/share/
The package libcryptx-perl is required in Ubuntu main as soon as possible, since libmail-dkim-perl depends on it and libmail-dkim-perl is already in main.
[Security]
No CVEs/security issues in this software in the past:
- (0) https:/
- (0) https:/
- (0) https:/
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs.
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...);
It's a Perl module that provides a self-contained cryptographic toolkit :
CryptX is a self-contained cryptgraphico toolkit based on https:/
It provides cyphers, block cipher modes, authenticated encryption modes, hash functions, message authentication
codes, public key cryptography, cryptographically secure random number generators, key derivation functions.
The package provides a shared library for this too.
[Quality assurance - function/usage]
The package works well right after the install.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (1) https:/
- Debian (0) https:/
- Upstream's bug tracker (4) https:/
+ Upstream's repo last activity: https:/
- last commit: in master, Oct 17, 2023
- Issues without answer: 3
- Updated issue/PR: Oct 30, 2023
- last fixed/closed/merged issue: Oct 9, 2023
- last merged PR: Oct 9, 2023
The package has an important/old open bug on upstream, affecting FreeBSD initially:
- SIGILL when calling verify_message (https:/
The package does not deal with exotic hardware we cannot support.
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https:/
dh_auto_test
make -j4 test TEST_VERBOSE=1
make[1]: Entering directory '/<<PKGBUILDDIR>>'
"/usr/bin/perl" -MExtUtils:
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils:
The package runs an autopkgtest (via autodep8 using 'Testsuite: autopkgtest-
that runs essentialy the above build-time test suite. It is currently passing on
this list of architectures (amd64, arm64, armhf, i386, ppc64el, s390x): https:/
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Debian Perl Group <email address hidden> ( https:/
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https:/
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
W: libcryptx-perl: changelog-
W: libcryptx-perl changes: distribution-
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
I: libcryptx-perl: typo-in-manual-page octects octets [usr/share/
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libcryptx-
X: libcryptx-perl source: debian-
X: libcryptx-perl source: update-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
X: libcryptx-perl source: very-long-
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https:/
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
There are further dependencies not yet in main. Listing then:
- libmath-bigint-perl
+ libscalar-
but the modules provided by libmath-bigint-perl are provided also by perl-modules-5.36 (i.e. , /usr/share/
https:/
and Replaces:
https:/
alongside the Provides for that version:
https:/
However, new version for libmath-bigint-perl in noble-proposed is 2.002000-1, above the one provided by the incoming perl transition 5.38:
https:/
Maybe version 2.002000-1 will be included in perl 5.40 (scheduled in May 2024,
https:/
[Standards compliance]
This package correctly follows FHS and Debian Policy (4.6.2)
[Maintenance/Owner]
Owning Team will be Ubuntu Server Team.
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This uses vendored code:
- src/ltc : LibTomCrypt: https:/
- src/ltm: LibTomMath: https:/
Both are packaged in Ubuntu: libtomcrypt-dev and libtommath-dev .
This package is not rust based.
A previous version of the package was successfully built during the most recent test rebuild : https:/
[Background information]
The Package description explains the package well.
Upstream Name is CryptX .
Link to upstream project https:/
This has been in the archive since at least 2017 (Bionic, 0.054-1).
It had a bug filed against it in Launchpad, for upgrading Bionic's version: https:/
Related branches
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 27 lines (+9/-1)2 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
- Andreas Hasenack: Disapprove
- Ubuntu Sponsors: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 1764 lines (+1689/-3)9 files modifieddebian/changelog (+9/-0)
debian/control (+2/-3)
debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch (+94/-0)
debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch (+496/-0)
debian/patches/0003-Revert-set-rsa-ed25519-type.patch (+84/-0)
debian/patches/0004-Revert-added-ed25519-signing-support.patch (+327/-0)
debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch (+578/-0)
debian/patches/0006-Revert-Debian-support-for-ed25519.patch (+93/-0)
debian/patches/series (+6/-0)
description: | updated |
Changed in libcryptx-perl (Ubuntu): | |
status: | Incomplete → New |
description: | updated |
description: | updated |
Changed in libcryptx-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in libcryptx-perl (Ubuntu): | |
assignee: | Miriam España Acebal (mirespace) → nobody |
Review for Source Package: libcryptx-perl
[Summary]
MIR team NACK until the constraint to resolve listed below are sorted out.
This does need a security review, but we are not there yet so I'll
not yet assign ubuntu-security
@Security - I feel there likely is already a lib doing Ed25519 PK operations
for perl, but failed to find it. Do you happen to know?
List of specific binary packages to be promoted to main: libcryptx-perl
Specific binary packages built, but NOT to be promoted to main: n/a
Required TODOs:
#1 - This duplicated all code in a lib that is itself not in main
They diverged, this package covers a zillion of crypto
funtions and we'd only need one.
Please read through below findings and give it a shot at looking
to resolve it via one of the alternatives (at the end) or something new
options you might bring up.
Come to the MIR meeting with whatever you have found, let us see if anyone
else knows a better option.
[Rationale, Duplication and Ownership]
OK:
- There is no other package in main providing the same functionality.
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu
Problem: openssl- rsa-perl
- In regard to crypto libs you want as few as possible and them being good.
I remember explicitly not wanting tomcrypt back in (LP: #1744072) and
changing dependencies to accomodate that.
Most of libcrypt-* also is in universe just e.g. libcrypt-
is in main.
The two things that libmail-dkim-perl uses are: DKIM/PublicKey. pm:17:use Crypt:: OpenSSL: :RSA; DKIM/PublicKey. pm:18:use Crypt::PK::Ed25519; DKIM/PrivateKey .pm:18: use Crypt:: OpenSSL: :RSA; DKIM/PrivateKey .pm:19: use Crypt::PK::Ed25519;
lib/Mail/
lib/Mail/
lib/Mail/
lib/Mail/
Of those Crypt::OpenSSL::RSA is from the mentioned libcrypt- openssl- rsa-perl
which is in main.
So only https:/ /metacpan. org/pod/ Crypt:: PK::Ed25519 is from libcryptx-perl. /metacpan. org/dist/ Crypt-Ed25519/ source/ Ed25519. pm /www.example- code.com/ perl/jwt_ create_ ed25519. asp
As the name suggests it uses it for Ed25519 public key operations, I failed
to find anything but
https:/
https:/
Which both are worse.
I can't overcome the feeling that I'm just not enough into perl, but I
feel that might already be part of some already-in-main lib for perl.
I'll put an extra note for the security team if they happen to know.
[Dependencies] sense-perl libjson-perl serialiser- perl
OK:
- no other Dependencies to MIR due to this
all in main already: libcommon-
libjson-xs-perl libtypes-
Note: do not fall for libmath-bigint-perl - while that is in universe
it is also (nowadays) provided by src:perl itself and therefore
not a component mismatch to resolve.
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- well, depends on how we want to look
It says it is libtomcrypt, but not linking to it.
It is all local C code
[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra...