[MIR] msgraph

Bug #2060035 reported by Sebastien Bacher
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
msgraph (Ubuntu)
Confirmed
Undecided
Ubuntu Security Team

Bug Description

[Availability]
The package msgraph is already in Ubuntu universe.
The package msgraph build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/msgraph

[Rationale]
- The package msgraph is required in Ubuntu main to be able to enable Microsoft OneDrive support in GNOME
- The package msgraph will generally be useful for a large part of our user base

- There is no other/better way to solve this that is already in main or
  should go universe->main instead of this.

- The binary package libmsgraph-0-1 needs to be in main to turn on the onedrive support in gnome-online-accounts

- We would like to enable the onedrive support in 24.04.1 if possible but it's not an hard commitment.

[Security]
- No CVEs/security issues in this software in the past

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
  patterns are in place utilizing the following features:
  TBD (add details and links/examples about things like dropping
  permissions, using temporary environments, restricted users/groups,
  seccomp, systemd isolation features, apparmor, ...)
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log https://launchpadlibrarian.net/720553048/buildlog_ubuntu-noble-amd64.msgraph_0.2.1-0ubuntu1_BUILDING.txt.gz

< to be updated once the infra catches up with the recent upload >

- The package runs an autopkgtest, and is currently passing on arm64 ppc64el s390x
  https://autopkgtest.ubuntu.com/packages/m/msgraph
  i386 is failing due installability issues of other components and isn't a target architecture

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works

- debian/control defines a correct Maintainer

- This package has minor lintian warnings

# lintian --pedantic msgraph_0.2.1-0ubuntu1_amd64.changes
E: libmsgraph-0-1: custom-library-search-path RUNPATH /usr/lib/x86_64-linux-gnu/libmsgraph [usr/lib/x86_64-linux-gnu/libmsgraph-0.so.0.2.1]
W: libmsgraph-doc: stray-devhelp-documentation [usr/share/doc/msgraph-0/msgraph-0.devhelp2]

The first one is because the upstream project uses an inconsistant naming (libmsgraph vs msgraph), we will add an override
The devhelp one is wrong and it's not an issue in newer versions

- Please link to a recent build log of the package https://launchpadlibrarian.net/720553048/buildlog_ubuntu-noble-amd64.msgraph_0.2.1-0ubuntu1_BUILDING.txt.gz

- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions

- Packaging and build is easy, link to debian/rules https://salsa.debian.org/gnome-team/msgraph/-/blob/debian/latest/debian/rules

[UI standards]
- Library is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The future owning team (desktop-packages) is already subscribed to the package

- This does not use static builds

- This does not use vendored code

- This package is not rust based
- The package has been built in the archive more recently than the last
  test rebuild

[Background information]
The Package description explains the package well
Upstream Name is msgraph
Link to upstream project https://gitlab.gnome.org/GNOME/msgraph

Tags: sec-4054
Lukas Märdian (slyon)
Changed in msgraph (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
description: updated
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):
Download full text (5.9 KiB)

Review for Source Package: msgraph

[Summary]
src:msgraph is a fairly new/young package, that provides gnome-online-accounts
integration to Microsoft services (e.g. OneDrive), using the MS Graph API.
It's currently pure Ubuntu delta, as it has not been uploaded to Debian yet.
Upstream's initial commit was in Februrary 2024. Overall, the package seems to
be relatively well structured, but didn't have a long history to proof proper
maintenance.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libmsgraph-0-1
Specific binary packages built, but NOT to be promoted to main: libmsgraph-dev

Notes:
#0 - Official Microsoft Graph SDK alternatives are listed here, but are not packaged in Ubuntu:
https://learn.microsoft.com/en-us/graph/sdks/sdks-overview#supported-languages
#1 - This is a pretty young package, the Desktop team takes responsibility for maintaining it during the LTS cycle, should upstream vanish.
#2 - Asking security review for REST/Json parsing, certificates and centralized online accounts

Required TODOs:
#3 - The package should get a team bug subscriber before being promoted
#4 - should not (build-)depend on libgoa-* => not sure what to do about that, as it's an essential part of this package. I need to consult fellow MIR team members.

Recommended TODOs:
#5 - Consider pushing it into Debian, too.
#6 - Consider fixing "dh_girepository" and "dpkg-gencontrol" build-time warnings,
  to improve packaging (see "[Upstream red flags]" below)

[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
A team is committed to own long term maintenance of this package. (~desktop-packages)
The rationale given in the report seems valid and useful for Ubuntu (Microsoft OneDrive support in GNOME)

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- dev/-debug/-doc packages that need exclusion: libmsgraph-dev depends on librest-dev in universe

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content (Not considering MS Graph API as "arbitrary")
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (...

Read more...

Changed in msgraph (Ubuntu):
assignee: Lukas Märdian (slyon) → nobody
status: New → Incomplete
Lukas Märdian (slyon)
Changed in msgraph (Ubuntu):
status: Incomplete → Confirmed
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

Aparrently we don't want to have a runtime dependency on libgoa-* (build-dep is fine).

cpaelzer> slyon: for libgoa - it can be a build dependency, just not a runtime dependency (and not part of the final code, no static linking tricks)
cpaelzer> slyon: but if it is used at build to get stuff done (like test tools, binary mangling helpers, ...) then it does not need to be in main

So could you please elaborate why the libmsgraph-0-1 -> libgoa-1.0-0b runtime dependency is needed and if it could be avoided?

It doesn't make a lot of sense to me, as libgoa-1.0-0b (src:gnome-online-accounts) is in "main" already and seems to be a crucial part here. But we didn't have time to discuss it in depth during today's meeting.

Revision history for this message
Sebastien Bacher (seb128) wrote :

@Lukas, I don't understand your comment about libgoa-1.0-0b, that's a standard desktop library which is in main forever and get added to Depends through shlibs, what's the issue with it?

$ ldd -r /usr/lib/x86_64-linux-gnu/libmsgraph-0.so.1 | grep goa
 libgoa-1.0.so.0 => /lib/x86_64-linux-gnu/libgoa-1.0.so.0 (0x0000765dd7566000)

$ grep goa msgraph-0.2.1 -r
...
msgraph-0.2.1/src/msg-goa-authorizer.h:#include <goa/goa.h>
...
msgraph-0.2.1/meson.build:goa_dep = dependency('goa-1.0')

Revision history for this message
Sebastien Bacher (seb128) wrote :

and about #5, the package has been uploaded to Debian NEW a month ago and is waiting for review in the queue

Mark Esler (eslerm)
tags: added: sec-4054
Revision history for this message
Sebastien Bacher (seb128) wrote (last edit ):

Replying to my previous comment after a chat with Lukas, the reason libgoa was raised as an issue is that the MIR template includes that mention in the 'upstream redflags'

> TODO: - no dependency on webkit, qtwebkit, seed or libgoa-*

I'm assuming that it was because of the libgoa depends on webkitgtk, which was removed in Noble. I've filed https://github.com/canonical/ubuntu-mir/issues/54 about getting libgoa removed from that section.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.