[MIR] mir

Bug #1203207 reported by kevin gunn on 2013-07-19
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mir (Ubuntu)
Undecided
Unassigned

Bug Description

Availability: lp:mir, ppa:mir-team/system-compositor-testing
Rationale: Required for Unity System Compositor (MIR bug 1203588)
Security: No known security issues
Quality assurance: no major bugs, one open for consideration of MIR - bug 1203070
UI standards: N/A
Dependencies: All in main except for libglm-dev (MIR bug 1176083), libgoogle-glog-dev (MIR bug 1151844), liblttng-ust-dev (MIR bug 1203589)
Background:

Mir is the new display server planned for introduction into 13.10
unity-system-compositor is a component needed for the xmir configuration to work and leverage Mir for 13.10

These components have been available and are currently being tested as part of the ppa:mir-team/system-compositor-testing
there are no major bugs and its introduction is expected not to interfere with saucy.
the XMir functionality being introduced will allow the X to continue in standalone mode if there is a failure.

kevin gunn (kgunn72) on 2013-07-19
Changed in mir:
assignee: nobody → MIR approval team (ubuntu-mir)
Changed in unity-system-compositor:
assignee: nobody → MIR approval team (ubuntu-mir)
kevin gunn (kgunn72) on 2013-07-19
description: updated
Robert Ancell (robert-ancell) wrote :

Opened bug 1203588 to track MIR for unity-system-compositor

Changed in mir:
assignee: MIR approval team (ubuntu-mir) → nobody
Changed in unity-system-compositor:
assignee: MIR approval team (ubuntu-mir) → nobody
status: New → Invalid
description: updated
description: updated
summary: - [MIR] mir, unity-system-compositor
+ [MIR] mir
description: updated
description: updated
description: updated
description: updated
Daniel van Vugt (vanvugt) wrote :

What is this bug?

Is it a request for packaging? If so it should have tag "needs-packaging", and of course a better description.

Daniel van Vugt (vanvugt) wrote :

Oh... (M)ain (I)nclusion (R)equest

:)

Michael Terry (mterry) on 2013-07-22
no longer affects: unity-system-compositor
Michael Terry (mterry) wrote :

This should probably be a security-approved MIR. (assigning to upstream part of this bug, since LP won't let me assign to the Ubuntu task, as it isn't in Ubuntu yet)

Changed in mir:
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mir:
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in mir (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Michael Terry (mterry) wrote :

Some comments from a packaging/maintainability perspective:
* You'll need a team bug subscriber in Ubuntu
* Why does libmirprotobuf-dev not ship a pc file? Seems like it should.
* Why is (the unversioned) libmirplatformgraphics.so thrown into the libmirserver0 package?
* I'm uncomfortable with debian/rule's assumption that armhf == android. Is there not a way to make that a run time detection? I assume that's also why tests are disabled for armhf. It would be really nice if we could enable them (which is all the more reason to decouple the android assumption).
* The debian/source_mir.py file does not seem to be installed.
* Nice that you use a tight -V for dh_makeshlibs
* Also nice that tests are run during build

Robert Ancell (robert-ancell) wrote :

* You'll need a team bug subscriber in Ubuntu

Set to ~mir-team:
https://bugs.launchpad.net/~mir-team/+packagebugs

* Why does libmirprotobuf-dev not ship a pc file? Seems like it should.

Because it doesn't contain any headers, just the .proto files. In fact, it probably shouldn't even exist as nothing should need to build against it (it's just a library shared between libmirclient and libmirserver)

* Why is (the unversioned) libmirplatformgraphics.so thrown into the libmirserver0 package?
* I'm uncomfortable with debian/rule's assumption that armhf == android. Is there not a way to make that a run time detection? I assume that's also why tests are disabled for armhf. It would be really nice if we could enable them (which is all the more reason to decouple the android assumption).
* The debian/source_mir.py file does not seem to be installed.
* Nice that you use a tight -V for dh_makeshlibs
* Also nice that tests are run during build

Robert Ancell (robert-ancell) wrote :

Whoops, pressed post too early.

* Why is (the unversioned) libmirplatformgraphics.so thrown into the libmirserver0 package?

It's a module. It should probably go into a module directory.

* I'm uncomfortable with debian/rule's assumption that armhf == android. Is there not a way to make that a run time detection? I assume that's also why tests are disabled for armhf. It would be really nice if we could enable them (which is all the more reason to decouple the android assumption).

See bug 1203004

Robert Ancell (robert-ancell) wrote :

 * The debian/source_mir.py file does not seem to be installed.

Bug 1204284

Michael Terry (mterry) wrote :

> Because it doesn't contain any headers, just the .proto files. In fact, it probably shouldn't even exist as nothing
> should need to build against it (it's just a library shared between libmirclient and libmirserver)

I get that without headers and without a pc file, it's intentionally hard for other packages to use this private library. Maybe it should live in pkglibdir instead of libdir.

> See bug 1203004

This bug deals with the armhf tests, which is good. But could you separately comment on the armhf==android assumption?

Jamie Strandboge (jdstrand) wrote :

The security review is going to take some time and we shouldn't block on it. Assuming everything else is ok, please prepromote and anything the security team finds we'll file as bugs to fix.

Michael Terry (mterry) wrote :

OK, so only things still blocking this are:
* armhf==android shouldn't be assumed
* Tests should run on armhf

(Plus, it should actually enter the archive)

no longer affects: mir
Stephen M. Webb (bregma) wrote :

* armhf==android shouldn't be assumed

This is now bug #1205389.

* Tests should run on armhf

This is now bug #1203004.

Robert Ancell (robert-ancell) wrote :

Also found by xnox that the binary packages libboost-regex-dev and libboost-chrono-dev need to be promoted to main.

Robert Ancell (robert-ancell) wrote :

Actually, we use asio but there's not a libboost-asio-dev, so we do need to depend on libboost-dev

Michael Terry (mterry) wrote :

OK, this is approved from a MIR side. The security review can happen later. And the android/armhf issues will be part of the acceptance criteria for u-s-c being enabled. So either we fix them or we don't end up using Mir.

Changed in mir (Ubuntu):
status: New → Triaged
Didier Roche (didrocks) wrote :
Download full text (3.2 KiB)

as discussed with Jamie, promoting without blocking on the security review. Not changing the bug status on purpose though.

$ ./change-override -c main -S mir
Override component to main
mir 0.0.8+13.10.20130803-0ubuntu1 in saucy: universe/x11 -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirclient-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirclient1 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirprotobuf-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirprotobuf0 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
libmirserver-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libdevel/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libs/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libs/optional/100% -> main
libmirserver0 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/libs/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/x11/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/x11/optional/100% -> main
mir-demos 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/x11/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/doc/optional/100% -> main
mir-doc 0.0.8+13.10.20130803-0ubuntu1 in saucy powerpc: universe/doc/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/x11/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/x11/optional/100% -> main
mir-test-tools 0.0.8+13.10.20130803-0ubuntu1 in saucy i386: universe/x11/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy amd64: universe/libdevel/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803-0ubuntu1 in saucy armhf: universe/libdevel/optional/100% -> main
mircommon-dev 0.0.8+13.10.20130803...

Read more...

Changed in mir (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold)
Seth Arnold (seth-arnold) wrote :
Download full text (8.7 KiB)

I reviewed Mir version 0.0.12+13.10.20130926.1-0ubuntu1 as checked into
Saucy. This should not be considered a full security audit, but rather a
quick gauge of code quality.

- Mir is a new display server, intending to replace X11, to rely upon the
  features of high-powered modern graphics hardware available in both
  traditional computers and newfangled handheld devices. By starting over
  with higher demands on hardware and reduced demands on legacy features,
  the intention is to provide a display server that is faster and more
  secure (e.g., preventing mouse grabs and keyboard grabs from preventing
  screen saver lock, or client keypress sniffing, or other annoyances from
  the X11 legacy codebase).
- Build-Depends upon cmake, doxygen, xsltproc, graphviz, boost, protobuf,
  libdrm, libegl1-mesa, libgles2-mesa, libgdm, libglm, libhardware,
  libgoogle-glog, liblttns-ust, libxkbcommon, umockdev, libudev,
  google-mock, valgrind
- No cryptography
- Extensive local networking, no off-machine networking
- Not exactly the usual daemon; does not double-fork(2), setpgid(2) and
  setsid(2) happen via mgg::LinuxVirtualTerminal::open_vt() rather than at
  startup.
- No initscripts
- No dbus
- No setuid
- No sudo
- No cron
- Binaries in /usr/bin/:
  mir_demo_client_flicker
  mir_demo_server_basic
  mir_demo_standalone_input_filter
  mir_stress
  mir_demo_server_shell
  mir_demo_client_multiwin
  mir_demo_client_scroll
  mir_demo_client_fingerpaint
  mir_demo_client_eglplasma
  mir_demo_client_basic
  mir_demo_client_eglflash
  mir_demo_client_egltriangle
- Good test suite
- Fairly messy build logs, several instances of:
  - warning: format '%d' expects argument of type 'int', but argument 4
    has type 'size_t {aka long unsigned int}'
- Many instances of:
  - Warning: no uniquely matching class member found for ...
  - Warning: no matching class member found for
- Lintian errors:
  - E: libmirplatform: postinst-must-call-ldconfig
    usr/lib/x86_64-linux-gnu/libmirplatformgraphics.so
  - E: mir-test-tools: arch-dependent-file-not-in-arch-specific-directory
    usr/bin/mir_stress
- Lintian warnings:
  - (two) W: libmirplatform: shlib-without-versioned-soname
    usr/lib/x86_64-linux-gnu/libmirplatformgraphics.so
    libmirplatformgraphics.so
  - (twelve) W: mir-demos: binary-without-manpage
    usr/bin/mir_demo_client_basic
  - (one) W: mir-doc: embedded-javascript-library
    usr/share/doc/mir-doc/html/jquery.js

- One instance of spawning a subprocess, examples/basic_server.cpp, just
  passes along a command-line argument to system(3); not itself unsafe,
  but might be unsafe in some potential uses of this example.
- Most memory management is handled via C++ safe pointers
- File IO is largely two types: socket parsing and device ioctls, looked safe
- Logging looked safe, lttng toolkit provides nice tracing tools
- Environment variables used: MIR_CLIENT_RPC_REPORT, MIR_SOCKET,
  XDG_CONFIG_HOME, HOME, XDG_CONFIG_DIRS, MIR_BYPASS,
  MIR_SERVER_HOST_SOCKET, ANDROID_ROOT, ANDROID_DATA
- Environment variable use looked safe
- Extensive ioctl use, possible mistake detailed below
- Expects to run with sufficient privileges to manipulate hardware
  devi...

Read more...

Changed in mir (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Daniel van Vugt (vanvugt) wrote :

Doesn't this count as "fixed" by now?

Michael Terry (mterry) on 2013-10-10
Changed in mir (Ubuntu):
status: Triaged → Fix Committed
Michael Terry (mterry) on 2013-10-10
Changed in mir (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers