[MIR] marisa

[Summary]
MIR Team ack to this package.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libmarisa0

Recommended TODOs:
- upstream provides tests in test/*, could those be enabled at build time?

[Duplication]
There is no other package in main providing the same functionality.
I mean obviously there are many data-structure helpers, but this one in
particular isn't available elsewhere. It is not a one-off just for
opencc, also librime and libkkc2 are using it which seems reasonable.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
   Depends: libc6 (>= 2.33), libgcc-s1 (>= 3.0), libstdc++6 (>= 5.2)
- has libmarisa-dev which will be auto-promoted, but that has no deps
  other than libmarisa0 itself

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- there are some maintenance artifacts in the tarball, but none seems
  problematic and none goes into the binaries that we will promote.

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats and translate them into the data structures this
  provides. This would usually be done in the context of the user-input which
  doesn't sound like a very critical attach surface. OTOH I don't want to hear
  that e.g. all Ubuntu input boxes can be broken by a special input string or
  such. Therefore I think it is worth to pass this through a security review
  as well.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber (an intend-to-sub by the Desktop Team)
- no translation present, but this is not the Ui but a background feature
- not a python/go package, no extra constraints to consider in that regard

Problems:
- does not have a test suite that runs at build time
  But I think that is covered by the autopkgtests, never the less there is an
  upstream provided test collection, having that on build would be awesome.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place (the version we have synced from
  experimental contains it)
- d/watch is present and looks ok
- Upstream update history slow, but ok (seems more stable than a lack of attention)
- Debian/Ubuntu update history is ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- Does not have Built-Using

Problems:
- d/rules isn't the cleanest, but nothing that would block this

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubunt...

Thanks for the review, Christian!

On 2021-02-08 13:42, Christian Ehrhardt  wrote:
> Recommended TODOs:
> - upstream provides tests in test/*, could those be enabled at build
> time?

As far as I can see they are already enabled via dh_auto_test. From the amd64 build log:

PASS: io-test
PASS: trie-test
PASS: base-test
PASS: vector-test
PASS: marisa-test
============================================================================
Testsuite summary for marisa 0.2.6
============================================================================
# TOTAL: 5
# PASS: 5
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0

Indeed Gunnar (seb128 gave me the same hint).
I was distracted by the full page of no-tests entries after dh_auto_test , but you are right it is there.
One todo gone, yet we still wait for security.

I reviewed marisa 0.2.6-3~exp2ubuntu2 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

marisa is a trie-based datastructure. There's both a library package and
command line interfaces as well as bindings for ruby, python, and perl.

- CVE History:
  - None in our database
- Build-Depends?
  - chrpath, debhelper-compat, dh-python, perl, pkg-kde-tools,
    python3-all-dev, ruby, ruby-dev, swig
- pre/post inst/rm scripts?
  - automatically-added python stuff
- init scripts?
  - None
- systemd units?
  - None
- dbus services?
  - None
- setuid binaries?
  - None
- binaries in PATH?
  -rwxr-xr-x root/root ./usr/bin/marisa-benchmark
  -rwxr-xr-x root/root ./usr/bin/marisa-build
  -rwxr-xr-x root/root ./usr/bin/marisa-common-prefix-search
  -rwxr-xr-x root/root ./usr/bin/marisa-dump
  -rwxr-xr-x root/root ./usr/bin/marisa-lookup
  -rwxr-xr-x root/root ./usr/bin/marisa-predictive-search
  -rwxr-xr-x root/root ./usr/bin/marisa-reverse-lookup
- sudo fragments?
  - None
- polkit files?
  - None
- udev rules?
  - None
- unit tests / autopkgtests?
  - Pretty extensive; debian/tests/ runs some simple bindings tests, too
- cron jobs?
  - None
- Build logs:
  - Some deprecation warnings in Ruby bindings, not too bad

- Processes spawned?
  - None
- Memory management?
  - Manual-style C++ memory management; it looked good
- File IO?
  - File paths provided by clients; coverity reported a race condition
    between a stat and mmap call, minor issue
- Logging?
  - None
- Environment variable usage?
  - None
- Use of privileged functions?
  - None
- Use of cryptography / random number sources etc?
  - None
- Use of temp files?
  - None
- Use of networking?
  - None
- Use of WebKit?
  - None
- Use of PolicyKit?
  - None

- Any significant cppcheck results?
  - two false positives, nothing else
- Any significant Coverity results?
  - many false positives, one TOCTTOU bug, minor
- Any significant shellcheck results?
  - only results are in debian's tests
- Any significant bandit results?
  - None

The actual trie portion of marisa is pretty involved. We will need to rely
on upstream for support of the computational pieces. The interoperation
portions of marisa are fairly straightforward older-style C++. This
looked fine.

Security team ACK for promoting marisa to main.

Thanks for your review, Seth! With that it will be possible to enable opencc support to ibus-libpinyin (bug #1923187).

Override component to main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish amd64: universe/libs/extra/100% -> main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish arm64: universe/libs/extra/100% -> main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish armhf: universe/libs/extra/100% -> main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish i386: universe/libs/extra/100% -> main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish ppc64el: universe/libs/extra/100% -> main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish riscv64: universe/libs/extra/100% -> main
libmarisa0 0.2.6-3~exp2ubuntu2 in impish s390x: universe/libs/extra/100% -> main
Override [y|N]? y
7 publications overridden.