[MIR] libdex

Bug #2066262 reported by Jeremy Bícha
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libdex (Ubuntu)
New
Undecided
Ubuntu Security Team

Bug Description

[Availability]
The package libdex is already in Ubuntu universe.
The package libdex build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures.
Link to package https://launchpad.net/ubuntu/+source/libdex

[Rationale]
- The package libdex is required in Ubuntu main because it is a runtime dependency of sysprof (MIR LP: #2066269)
- There is no other/better way to solve this that is already in main or should go universe->main instead of this.
- The package libdex is required in Ubuntu main no later than August 15 due to a Ubuntu Desktop goal of including sysprof in the default 24.10 install

[Security]
- No CVEs/security issues in this software in the past
+ Note that CVE-2016-3758 is about a vulnerability in Android's libdex which is a completely different project with no shared history or functionality. GNOME libdex was not created until 2022.
+ https://security-tracker.debian.org/tracker/source-package/libdex
+ https://ubuntu.com/security/cves?package=libdex

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Package does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...)
- TODO: I noticed that libdex uses liburing which uses the Linux kernel io_uring interface. Wikipedia points out that io_uring is a frequent source of bugs in the Linux kernel. I don't know if this matters for apps using liburing, but I think the Security Team should have a look. libdex does have a build-time option to disable liburing in cases where it is unavailable (for instance it's disabled on i386 since Ubuntu currently doesn't build liburing on i386).

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libdex/
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libdex
- Upstream https://gitlab.gnome.org/GNOME/libdex/-/issues
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log
https://launchpad.net/ubuntu/+source/libdex/0.6.1-1

- The package does not run an autopkgtest. See next lines.

- This package is minimal and will be tested in a more wide reaching solution.
+ libdex is only used by sysprof and gnome-builder. In addition to the existing build tests for libdex, we will also do manual testing for Sysprof and GNOME Builder.

https://wiki.ubuntu.com/DesktopTeam/TestPlans/Sysprof
https://wiki.ubuntu.com/DesktopTeam/TestPlans/GnomeBuilder

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
https://launchpad.net/ubuntu/+source/libdex/0.6.1-1
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, link to debian/rules https://salsa.debian.org/gnome-team/libdex/-/blob/debian/latest/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Ubuntu Desktop (~desktop-packages) and I have their acknowledgement for that commitment
- The future owning team is not yet subscribed, but will subscribe to the package before promotion

- This does not use static builds
- This does not use vendored code
- This package is not rust based

- The package has been built in the archive more recently than the last test rebuild

[Background information]
- The Package description explains the package well
- Upstream Name is libdex
- Link to upstream project https://gitlab.gnome.org/GNOME/libdex

Jeremy Bícha (jbicha)
Changed in libdex (Ubuntu):
assignee: nobody → Jeremy Bícha (jbicha)
Jeremy Bícha (jbicha)
description: updated
Changed in libdex (Ubuntu):
status: Incomplete → New
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Running lintian...
W: libdex source: newer-standards-version 4.7.0 (current is 4.6.2)
W: libdex-doc: stray-devhelp-documentation [usr/share/doc/libdex-1/libdex-1.devhelp2]
I: libdex-doc: possible-documentation-but-no-doc-base-registration
P: libdex source: package-does-not-install-examples [examples/]

All of these can be ignored. The latest Debian Policy is 4.7.0 but lintian has not been updated since that version was released. https://tracker.debian.org/pkg/debian-policy

The devhelp warning is a false warning. Many GNOME modules have switched to gi-docgen to build help and it does things differently that the older gtk-doc-tools. The devhelp app was updated to support devhelp2 files being located in this location.

doc-base is a Debianism that I believe to only barely be used.

The examples are built during the build but are intentionally not installed per upstream's meson.build
https://gitlab.gnome.org/GNOME/libdex/-/blob/main/examples/meson.build

Jeremy Bícha (jbicha)
Changed in libdex (Ubuntu):
assignee: Jeremy Bícha (jbicha) → nobody
description: updated
Changed in libdex (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
assignee: Lukas Märdian (slyon) → Ioanna Alifieraki (joalif)
Revision history for this message
Ioanna Alifieraki (joalif) wrote :
Download full text (4.5 KiB)

Review for Source Package: libdex

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: gir1.2-dex-1, libdex-1-1, libdex-dev, libdex-doc
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:

Overall the package is in pretty good shape.
The only problem is the absence of autpkg tests.
However, the desktop team has worked around it, and has provided plans
to test libdex in the context of sysprof :
https://wiki.ubuntu.com/DesktopTeam/TestPlans/Sysprof
https://wiki.ubuntu.com/DesktopTeam/TestPlans/GnomeBuilder

The current release is not packaged, the bug was opened before the latest release was
released, and I guess it is in your plans to bump the version.

With regards to @jbicha's concern on io_uring security, IMO this is mainly kernel's/liburing
problem, but I agree that security could have a look to rule out any sideffects in this pacakge.

Required TODOs:
1. Please bump to the latest upstream version
2. The package should get a team bug subscriber before being promoted

[Rationale, Duplication and Ownership]
There is no better alternative package in main providing the same functionality.
A team (~desktop-packages) is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - libdex checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- This does not need special HW for bui...

Read more...

Changed in libdex (Ubuntu):
assignee: Ioanna Alifieraki (joalif) → nobody
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Thank for your review. I believe the latest version of libdex (0.6.1) is present in Ubuntu Oracular. Perhaps you were looking at Ubuntu 24.04 LTS?

Steve Beattie (sbeattie)
tags: added: sec-4617
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.