Ubuntu
lua5.4 package

Bug #2026608
Comment #1

Comment 1 for bug 2026608

Revision history for this message

Lukas Märdian (slyon) wrote on 2023-07-18:

Review for Source Package: lua5.4

[Summary]
The lua5.4 package is supposed to replace the existing lua5.3 package in main.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: lua5.4, liblua5.4-0
Specific binary packages built, but NOT to be promoted to main: None

Notes:
#0: I feel like this is mostly fine from a security POV, especially as lua5.3
is already covered by Ubuntu's security team. Still assigning ubunut-security
for a spot check (for lua interperter parsing code), feel free to just pass it
through.

Required TODOs:
#1: Please outline the migration plan for lua5.3 -> lua5.4.
Will it all be done in the Mantic cylce? When can we expect to demote 5.3?
#2: does not have a non-trivial test suite that runs as autopkgtest
#3a: does not have a test suite that runs at build time
#3b: test suite fails will not fail the build upon error.
> dh_auto_test
> make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)
#4: symbols tracking is not in place, is there a specific reason for that?
#5: the current release is not packaged (current: 5.4.6, lacking 1.5 years behind)
#6: debian/rules does lots of stuff, not very clean.
Generally, I feel like the packaging could need some love, see #7 / #8

Recommended TODOs:
#7: Lintian report:
I: lua5.4 source: debian-control-has-obsolete-dbg-package
I: liblua5.4-0: hardening-no-bindnow
I: liblua5.4-0: no-symbols-control-file
I: lua5.4 source: out-of-date-standards-version 4.5.0
P: liblua5.4-dev: maintainer-script-without-set-e
P: lua5.4 source: package-uses-old-debhelper-compat-version 12
P: lua5.4 source: silent-on-rules-requiring-root
P: lua5.4 source: uses-debhelper-compat-file
#8a: important bugs:
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842456
#8b: deprecation warning during build:
> configure.ac:3: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
> configure.ac:3: You should run autoupdate.
> aclocal.m4:114: AC_PROG_LIBTOOL is expanded from...
> configure.ac:3: the top level
#9: The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.
This is a version bump MIR lua5.3 -> lua5.4. lua5.3 is supposed to be demoted
once dependencies migrated to lua5.4:
$ reverse-depends src:lua5.3 -c main -r mantic
Reverse-Depends
===============
* apache2-bin (for liblua5.3-0)
* ceph-common [amd64 arm64 armhf ppc64el s390x]
* ceph-mds [amd64 arm64 armhf ppc64el s390x]
* dovecot-core [amd64 arm64 armhf ppc64el s390x]
* grilo-plugins-0.3-base [amd64 arm64 armhf ppc64el s390x]
* haproxy [amd64 arm64 armhf ppc64el s390x]
* ibus-libpinyin [amd64 arm64 armhf ppc64el s390x]
* librgw2 [amd64 arm64 armhf ppc64el s390x]
* libwireplumber-0.4-0 [amd64 arm64 armhf ppc64el s390x]
* radosgw [amd64 arm64 armhf ppc64el s390x]

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems:
- static linking of liblua.a, but that's fine as part of liblua5.4-dev IMO

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does parse data formats (interpreted code), usually from trusted source,
also has been in "main" before, so should be fine from a security POV.

[Common blockers]
OK:
- does not FTBFS currently
- This does not need special HW for build or test
- no new python2 dependency
- Not a Python/Go package

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- does not have a test suite that runs at build time
- test suite fails will not fail the build upon error.
> dh_auto_test
> make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is slow, but OKish for mature software
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- It is not on the lto-disabled list

Problems:
- symbols tracking is not in place
- the current release is not packaged (5.4.6, 1.5 years behind)
- debian/rules does lots of stuff, not very clean
- Lintian report:
I: lua5.4 source: debian-control-has-obsolete-dbg-package
I: liblua5.4-0: hardening-no-bindnow
I: liblua5.4-0: no-symbols-control-file
I: lua5.4 source: out-of-date-standards-version 4.5.0
P: liblua5.4-dev: maintainer-script-without-set-e
P: lua5.4 source: package-uses-old-debhelper-compat-version 12
P: lua5.4 source: silent-on-rules-requiring-root
P: lua5.4 source: uses-debhelper-compat-file

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems:
- important bugs:
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842456
- deprecation warning during build:
> configure.ac:3: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
> configure.ac:3: You should run autoupdate.
> aclocal.m4:114: AC_PROG_LIBTOOL is expanded from...
> configure.ac:3: the top level

Review for Source Package: lua5.4

[Summary]
The lua5.4 package is supposed to replace the existing lua5.3 package in main.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: lua5.4, liblua5.4-0
Specific binary packages built, but NOT to be promoted to main: None

Required TODOs:
#1: Please outline the migration plan for lua5.3 -> lua5.4.
    Will it all be done in the Mantic cylce? When can we expect to demote 5.3?
#2: does not have a non-trivial test suite that runs as autopkgtest
#3a: does not have a test suite that runs at build time
#3b: test suite fails will not fail the build upon error.
> dh_auto_test
>   make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)
#4: symbols tracking is not in place, is there a specific reason for that?
#5: the current release is not packaged (current: 5.4.6, lacking 1.5 years behind)
#6: debian/rules does lots of stuff, not very clean.
    Generally, I feel like the packaging could need some love, see #7 / #8

Recommended TODOs:
#7: Lintian report:
I: lua5.4 source: debian-control-has-obsolete-dbg-package
I: liblua5.4-0: hardening-no-bindnow
I: liblua5.4-0: no-symbols-control-file
I: lua5.4 source: out-of-date-standards-version 4.5.0
P: liblua5.4-dev: maintainer-script-without-set-e
P: lua5.4 source: package-uses-old-debhelper-compat-version 12
P: lua5.4 source: silent-on-rules-requiring-root
P: lua5.4 source: uses-debhelper-compat-file
#8a: important bugs:
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842456
#8b: deprecation warning during build:
> configure.ac:3: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
> configure.ac:3: You should run autoupdate.
> aclocal.m4:114: AC_PROG_LIBTOOL is expanded from...
> configure.ac:3: the top level
#9: The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.
This is a version bump MIR lua5.3 -> lua5.4. lua5.3 is supposed to be demoted
once dependencies migrated to lua5.4:
$ reverse-depends src:lua5.3 -c main -r mantic
Reverse-Depends
===============
* apache2-bin                   (for liblua5.3-0)
* ceph-common [amd64 arm64 armhf ppc64el s390x]
* ceph-mds [amd64 arm64 armhf ppc64el s390x]
* dovecot-core [amd64 arm64 armhf ppc64el s390x]
* grilo-plugins-0.3-base [amd64 arm64 armhf ppc64el s390x]
* haproxy [amd64 arm64 armhf ppc64el s390x]
* ibus-libpinyin [amd64 arm64 armhf ppc64el s390x]
* librgw2 [amd64 arm64 armhf ppc64el s390x]
* libwireplumber-0.4-0 [amd64 arm64 armhf ppc64el s390x]
* radosgw [amd64 arm64 armhf ppc64el s390x]

Problems: None

Problems:
- static linking of liblua.a, but that's fine as part of liblua5.4-dev IMO

Problems:
- does parse data formats (interpreted code), usually from trusted source,
  also has been in "main" before, so should be fine from a security POV.

[Common blockers]
OK:
- does not FTBFS currently
- This does not need special HW for build or test
- no new python2 dependency
- Not a Python/Go package

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- does not have a test suite that runs at build time
- test suite fails will not fail the build upon error.
> dh_auto_test
>   make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is slow, but OKish for mature software
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- It is not on the lto-disabled list

Problems:
- important bugs:
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842456
- deprecation warning during build:
> configure.ac:3: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
> configure.ac:3: You should run autoupdate.
> aclocal.m4:114: AC_PROG_LIBTOOL is expanded from...
> configure.ac:3: the top level

Ubuntulua5.4 package

Comment 1 for bug 2026608

Ubuntu
lua5.4 package