Ubuntu
libubootenv package

[MIR] libubootenv-tool, libubootenv0.1

Bug #1885142 reported by Dave Jones
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libubootenv (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
The package is already in universe.

[Rationale]
These packages were split from u-boot-tools (already in main) in the last merge to version 2020.04+dfsg-2. As u-boot-tools is used in the boot sequence on all supported Raspberry Pi images, these are now also dependencies that need including in main.

[Security]
There are no open CVEs against u-boot 2020.04.

[Quality assurance]
As mentioned above, the package is already in active use in the Pi boot sequence. There are no outstanding bugs which significantly affect the usability (i.e. our images boot successfully on all supported pi models) and no important bugs open.

There is no meaningful test suite included in the package, but then for a bootloader dealing with a novel platform the ultimate test is "does it boot?", and each update of the package is extensively (manually) tested against the supported models.

[Dependencies]
All dependencies, other than the listed packages (libubootenv-tool and libubootenv0.1 which is now a dependency of libubootenv-tool) are already in main.

[Standards compliance]
No changes; the libubootenv-tool package simply splits off the fw_printenv and fw_setenv binaries which were previously part of u-boot-tools.

[Maintenance]
The package is maintained by the Ubuntu Foundations team.

Christian Ehrhardt  (paelzer)
Changed in u-boot (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

apt-cache show libubootenv-tool | grep -e '^Sou'
Source: libubootenv
apt-cache show libubootenv0.1 | grep -e '^Sou'
Source: libubootenv

 libubootenv0.1 | 0.2-1 | focal/universe | amd64, arm64, armhf, ppc64el, riscv64, s390x
 libubootenv0.1 | 0.2-1 | groovy/universe | amd64, arm64, armhf, ppc64el, riscv64, s390x

 libubootenv-tool | 0.2-1 | focal/universe | amd64, arm64, armhf, ppc64el, riscv64, s390x
 libubootenv-tool | 0.2-1 | groovy/universe | amd64, arm64, armhf, ppc64el, riscv64, s390x

This is and was src:libubootenv - I'm re-targetting the bug from u-boot.

It already shows up in component mismatches:
libubootenv: libubootenv-dev libubootenv-doc libubootenv-tool libubootenv0.1
  [Reverse-Depends: Rescued from libubootenv, libubootenv-tool]
  [Reverse-Recommends: u-boot-tools (MAIN)]

affects: u-boot (Ubuntu) → libubootenv (Ubuntu)
Changed in libubootenv (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The old binary package "u-boot-tools" was part of "src:u-boot".
That binary was in main for a long time already based on the old MIR in bug 692613:

 u-boot-tools | 2011.09-2 | precise | amd64, armel, armhf, i386, powerpc
 u-boot-tools | 2013.10-3 | trusty | amd64, arm64, armhf, i386, powerpc, ppc64el
 u-boot-tools | 2016.01+dfsg1-2ubuntu1 | xenial | amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 u-boot-tools | 2016.01+dfsg1-2ubuntu3 | xenial-security | amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 u-boot-tools | 2016.01+dfsg1-2ubuntu5 | xenial-updates | amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 u-boot-tools | 2016.03+dfsg1-6ubuntu2 | bionic | amd64, arm64, armhf, i386, ppc64el, s390x
 u-boot-tools | 2018.07~rc3+dfsg1-0ubuntu2 | disco | amd64, arm64, armhf, i386, ppc64el, s390x
 u-boot-tools | 2018.07~rc3+dfsg1-0ubuntu3 | disco-updates | amd64, arm64, armhf, i386, ppc64el, s390x
 u-boot-tools | 2019.07+dfsg-1ubuntu3 | eoan | amd64, arm64, armhf, i386, ppc64el, s390x
 u-boot-tools | 2019.07+dfsg-1ubuntu4~18.04.1 | bionic-updates | amd64, arm64, armhf, i386, ppc64el, s390x
 u-boot-tools | 2019.07+dfsg-1ubuntu6 | focal | amd64, arm64, armhf, ppc64el, riscv64, s390x
 u-boot-tools | 2020.04+dfsg-2ubuntu1 | groovy | amd64, arm64, armhf, ppc64el, riscv64, s390x

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The code in the new src:libubootenv was split out from src:u-boot/binary:u-boot-tools
=> https://salsa.debian.org/debian/u-boot/-/commit/4c0c35319da4855b54a651c57be22d9de0740f1a
and had some transition pain, e.g.:
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939598

This isn't exactly the same code so it is worth a deeper check (if it would just be a split we could approve on the base of the old MIR).
Fortunately it isn't a lot of code ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

More background on the new tools: https://github.com/sbabic/libubootenv

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.2 KiB)

[Summary]
This is s small and safe library, mostly based on code that was in main before.
It is ok to be promoted (MIR Team Ack) once the following points are resolved.
Incomplete until those are resolved ...

Required before promotion:
- the foundations-team needs to be subscribed to src:libubootenv.

Optional, but recommended before promotion:
- fix d/watch
- provide a symbols file even for a 0.1 lib if it seems reasonable

[Duplication]
OK:
Function wise this has two purposes:
- library (doesn't exist in other places)
- tools fw_printenv fw_setenv were in u-boot but removed from there.
No duplication issue

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- a -dev packages that seems ok to promote as well

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats, but in a really non introusive way
  and based on u-boot code that already was reviewed and in main.
  That alone doesn't make it need a security review IMHO.

[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency
- No Python/Go package

Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest

This is bit weak, but I agree that it is tested in all
the arm/Pi booting implicitly.

- The package has a team bug subscriber
That is a real issue that needs to be fixed before promotion

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- Upstream update history is (good/slow/sporadic)
- Debian/Ubuntu update history is (good/slow/sporadic)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Problems:
- symbols tracking not applicable for this kind of code.
  Yeah it could be done, but it is intentionally a 0.1 to reflect it isn't stable yet
  Never the less it is almost no cost and helps to realize changes
- d/watch is present and looks ok
  The current entries do not work
  uscan info: Requesting URL:
   https://github.com/sbabic/libubootenv
  uscan info: Matching pattern:
     (?:(?:https://github.com)?\/sbabic\/libubootenv)?.*/v?(\d\S*)\.tar\.gz
  uscan warn: In debian/watch no matching files for watch line
    https://github.com/sbabic/libubootenv .*/v?(\d\S*)\.tar\.gz

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
...

Read more...

Changed in libubootenv (Ubuntu):
status: New → Incomplete
Revision history for this message
Dave Jones (waveform) wrote :

Added patch addressing incorrect d/watch file and missing symbols.

Changed in libubootenv (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Dave - will you submit that to Debian or get a Ubuntu sponsor or .... could you let us know what the plan on this is?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

sponsored

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I see all this is in groovy, the subscription is made and open issues resolved.
Since it shows up in proposed mismatches we can set this to Fix-Committed and wait for an Archive admin to promote.

Changed in libubootenv (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

$ ./change-override -c main -S libubootenv
Override component to main
libubootenv 0.3-1ubuntu1 in groovy: universe/misc -> main
libubootenv-dev 0.3-1ubuntu1 in groovy amd64: universe/libdevel/optional/100% -> main
libubootenv-dev 0.3-1ubuntu1 in groovy arm64: universe/libdevel/optional/100% -> main
libubootenv-dev 0.3-1ubuntu1 in groovy armhf: universe/libdevel/optional/100% -> main
libubootenv-dev 0.3-1ubuntu1 in groovy ppc64el: universe/libdevel/optional/100% -> main
libubootenv-dev 0.3-1ubuntu1 in groovy riscv64: universe/libdevel/optional/100% -> main
libubootenv-dev 0.3-1ubuntu1 in groovy s390x: universe/libdevel/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy amd64: universe/doc/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy arm64: universe/doc/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy armhf: universe/doc/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy i386: universe/doc/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy ppc64el: universe/doc/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy riscv64: universe/doc/optional/100% -> main
libubootenv-doc 0.3-1ubuntu1 in groovy s390x: universe/doc/optional/100% -> main
libubootenv-tool 0.3-1ubuntu1 in groovy amd64: universe/utils/optional/100% -> main
libubootenv-tool 0.3-1ubuntu1 in groovy arm64: universe/utils/optional/100% -> main
libubootenv-tool 0.3-1ubuntu1 in groovy armhf: universe/utils/optional/100% -> main
libubootenv-tool 0.3-1ubuntu1 in groovy ppc64el: universe/utils/optional/100% -> main
libubootenv-tool 0.3-1ubuntu1 in groovy riscv64: universe/utils/optional/100% -> main
libubootenv-tool 0.3-1ubuntu1 in groovy s390x: universe/utils/optional/100% -> main
libubootenv0.1 0.3-1ubuntu1 in groovy amd64: universe/libs/optional/100% -> main
libubootenv0.1 0.3-1ubuntu1 in groovy arm64: universe/libs/optional/100% -> main
libubootenv0.1 0.3-1ubuntu1 in groovy armhf: universe/libs/optional/100% -> main
libubootenv0.1 0.3-1ubuntu1 in groovy ppc64el: universe/libs/optional/100% -> main
libubootenv0.1 0.3-1ubuntu1 in groovy riscv64: universe/libs/optional/100% -> main
libubootenv0.1 0.3-1ubuntu1 in groovy s390x: universe/libs/optional/100% -> main
Override [y|N]? y
26 publications overridden.

Changed in libubootenv (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.