[MIR] msgraph
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
msgraph (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package msgraph is already in Ubuntu universe.
The package msgraph build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https:/
[Rationale]
- The package msgraph is required in Ubuntu main to be able to enable Microsoft OneDrive support in GNOME
- The package msgraph will generally be useful for a large part of our user base
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The binary package libmsgraph-0-1 needs to be in main to turn on the onedrive support in gnome-online-
- We would like to enable the onedrive support in 24.04.1 if possible but it's not an hard commitment.
[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/
patterns are in place utilizing the following features:
TBD (add details and links/examples about things like dropping
permissions, using temporary environments, restricted users/groups,
seccomp, systemd isolation features, apparmor, ...)
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https:/
< to be updated once the infra catches up with the recent upload >
- The package runs an autopkgtest, and is currently passing on arm64 ppc64el s390x
https:/
i386 is failing due installability issues of other components and isn't a target architecture
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer
- This package has minor lintian warnings
# lintian --pedantic msgraph_
E: libmsgraph-0-1: custom-
W: libmsgraph-doc: stray-devhelp-
The first one is because the upstream project uses an inconsistant naming (libmsgraph vs msgraph), we will add an override
The devhelp one is wrong and it's not an issue in newer versions
- Please link to a recent build log of the package https:/
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, link to debian/rules https:/
[UI standards]
- Library is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The future owning team (desktop-packages) is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is msgraph
Link to upstream project https:/
Changed in msgraph (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
description: | updated |
Changed in msgraph (Ubuntu): | |
status: | Incomplete → Confirmed |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
tags: | added: sec-4054 |
Review for Source Package: msgraph
[Summary] accounts
src:msgraph is a fairly new/young package, that provides gnome-online-
integration to Microsoft services (e.g. OneDrive), using the MS Graph API.
It's currently pure Ubuntu delta, as it has not been uploaded to Debian yet.
Upstream's initial commit was in Februrary 2024. Overall, the package seems to
be relatively well structured, but didn't have a long history to proof proper
maintenance.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libmsgraph-0-1
Specific binary packages built, but NOT to be promoted to main: libmsgraph-dev
Notes: /learn. microsoft. com/en- us/graph/ sdks/sdks- overview# supported- languages
#0 - Official Microsoft Graph SDK alternatives are listed here, but are not packaged in Ubuntu:
https:/
#1 - This is a pretty young package, the Desktop team takes responsibility for maintaining it during the LTS cycle, should upstream vanish.
#2 - Asking security review for REST/Json parsing, certificates and centralized online accounts
Required TODOs:
#3 - The package should get a team bug subscriber before being promoted
#4 - should not (build-)depend on libgoa-* => not sure what to do about that, as it's an essential part of this package. I need to consult fellow MIR team members.
Recommended TODOs:
#5 - Consider pushing it into Debian, too.
#6 - Consider fixing "dh_girepository" and "dpkg-gencontrol" build-time warnings,
to improve packaging (see "[Upstream red flags]" below)
[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
A team is committed to own long term maintenance of this package. (~desktop-packages)
The rationale given in the report seems valid and useful for Ubuntu (Microsoft OneDrive support in GNOME)
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- dev/-debug/-doc packages that need exclusion: libmsgraph-dev depends on librest-dev in universe
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content (Not considering MS Graph API as "arbitrary")
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (...