[MIR] mosh
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mosh (Ubuntu) |
Fix Released
|
Undecided
|
Robie Basak |
Bug Description
[Availability]
The package mosh is already in Ubuntu universe.
The package mosh is built for the architectures it is designed to work on.
Link to package [[https:/
[Rationale]
The package mosh will generally be useful for a large part of our (server) user base
It would be great and useful to community/processes to have the package mosh in Ubuntu main, but there is no definitive deadline. However the server team's goal is to have the MIR complete by the end of the Lunar cycle.
[Security]
- Had 1 security issue in the past
- https:/
- Binaries installed into /usr/bin: mosh, mosh-client, mosh-server.
- Clearly this package is security sensitive and needs a security review. After using ssh to bootstrap, it communicates directly using UDP, and a compromise there would result in a compromise of the entire system.
- Packaging includes a ufw definition.
[Quality assurance - function/usage]
The package works well right after install.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https:/
- Debian https:/
- The package does not deal with exotic hardware we cannot support.
- There have been a couple of NMUs but upstream did seem perfectly responsive in fixing maintenance issues upstream in these cases. Eg. https:/
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, build log: https:/
- The package does not run an autopkgtest (TODO).
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Build log: https:/
- Lintian output:
P: mosh source: insecure-
P: mosh source: package-
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to d/rules: https:/
[UI standards]
- Application is end-user facing, but translation isn't present. This is presumed OK as it's intended for CLI use only, but as a wrapper for ssh doesn't really have an interface as such, except for errors. Manpages are present but not translated.
- End-user applications without desktop file, not needed because it's intended for CLI use only
[Dependencies]
- No further depends or recommends dependencies that are not yet in main, except for a recommends on libio-socket-
- protobuf-compiler is a Build-Depends and in universe, but this is presumed OK because src:protobuf is in main, as is the resulting binary package dependency libprotobuf23.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be ~ubuntu-server
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is mosh
- Link to upstream project: https:/
- Vcs-Git points to the upstream repository but I don't see a specific Debian packaging branch. However, the debian directory matches what is in the upstream branch apart from the latest entry in debian/changelog, so is effectively in "sync" with upstream.
Related branches
- Robie Basak: Pending requested
- Canonical Server packageset reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 88 lines (+56/-1)4 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/tests/control (+3/-0)
debian/tests/upstream-tests (+44/-0)
CVE References
Changed in mosh (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
tags: | added: sec-1511 |
Changed in mosh (Ubuntu): | |
status: | New → In Progress |
Changed in mosh (Ubuntu): | |
assignee: | nobody → Robie Basak (racb) |
tags: | added: server-todo |
Changed in mosh (Ubuntu): | |
assignee: | Robie Basak (racb) → Lucas Kanashiro (lucaskanashiro) |
Changed in mosh (Ubuntu): | |
assignee: | Sergio Durigan Junior (sergiodj) → Robie Basak (racb) |
MIR team: the biggest blocker here will inevitably be the security review I presume will be necessary. I have a couple of outstanding things to fix for the MIR as well, but am filing this now to get this on the security team's list ASAP. I hope this is OK.