[MIR] open-isns

Bug #1689963 reported by Nish Aravamudan on 2017-05-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
open-isns (Ubuntu)
Undecided
Mathieu Trudel-Lapierre

Bug Description

[Availability]
 * open-isns has been in Ubuntu since Yakkety in universe and has successfully built on all supported architectures.

[Rationale]
 * open-iscsi has switched it's upstream source from using a local copy of isns (internet storage name service) code to using what is available on the build system.
 * This adds a new build-dependency (libisns-dev) which I believe can stay in universe, but the binary package dependencies (libisns-nocrypto0-udeb libisns0) need to be promoted to main as open-iscsi is in main.

[Security]
 * There have been no reported CVEs for open-isns.
   - There are two CVEs for isns.c in the CVE tracker:
     + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0743
     + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2221
   - These relate to tgt's support for iSNS not to open-isns.

[Quality assurance]
 * The relevant binary packages from open-isns for this MIR are library packages, which are usable immediately after installation.
 * No debconf questions are asked during installation.
 * There are no long-term outstanding bugs which affect the usability of libisns.
 * There are no important bugs in Debian or Ubuntu bug trackers:
   - https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;src=open-isns
   - https://bugs.launchpad.net/ubuntu/+source/open-isns
 * The upstream bug tracker refers to open-isns self-tests not passing, but I need to investigate this further.
   - https://github.com/open-iscsi/open-isns/issues

 * The package is well-maintained in Debian (and synced to Ubuntu currently).
 * The package does not deal with exotic hardware.
 * The packages does have a test suite. I will investigate if it can run during the build, it does not appear to currently.
 * The package uses a debian/watch file.

[Dependencies]
 * All of the package dependencies for the two binaries to move to main are already in main.

[Standards compliance]
 * The package is compliant with Debian and FHS policies.

[Maintenance]
 * The Ubuntu Server Team will be subscribed to the package.

There's a subscriber and the package generally looks fine; modulo looking to see if tests can be run at build time.

However, since this is for iSNS, name services tend to be security-sensitive and there is some CVE history (not for open-isns specifically, but...) for iSNS on Linux (for tgt specifically); I would like there to be a security review.

Changed in open-isns (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
milestone: none → ubuntu-17.05

On Fri, May 12, 2017 at 1:00 PM, Mathieu Trudel-Lapierre
<email address hidden> wrote:
> There's a subscriber and the package generally looks fine; modulo
> looking to see if tests can be run at build time.

I've got a patch locally that does seem to do this, but the tests
fail, because I think they require open-isns-server (specifically
isnsd and its configuration files) to be installed. So I'm not sure we
can run them during the build properly.

But we should run the self-tests in an autopkgtest (which I don't
think currently is happening). I will work on that at least.

> However, since this is for iSNS, name services tend to be security-
> sensitive and there is some CVE history (not for open-isns specifically,
> but...) for iSNS on Linux (for tgt specifically); I would like there to
> be a security review.

Agreed.

Nish Aravamudan (nacc) wrote :

The linked MR adds a DEP8 test (which passes locally on amd64) for the upstream test suite. I've asked for Mathieu to review it before I upload, but it does seem sane (I've pushed all the upstream changes upstream as GitHub PRs as well) -- I had to skip one test, because I really don't understand what it's trying to do (and it might rely on something from microsoft).

Christian Seiler (christian-w) wrote :

Hi,

I'm one of the Debian Maintainers of open-isns and I just saw this bug here because I saw the upstream pull request for the fixes to the test suite. First of all: thanks for improving the package. The main reason I've packaged that is because it was split out of open-iscsi, and I'm not really a user of iSNS itself.

I would like to keep any diff between Debian and Ubuntu to a minimum - ideally there'd be no diff at all. I'd also be happy to include any Ubuntu-specific changes in the upstream Debian package. The upstream test suite you've added to DEP-8 appears to be something that would also be useful to run in Debian. If it's OK with you I'd like to review the changes you made in this regard and include them in the Debian package itself.

Apart from that: a short comment on what you wrote in the "Quality Assurance" part of this report:

> * No debconf questions are asked during installation.

This is not entirely true: no debconf questions are asked when installing the library packages themselves in the current Debian package, but because how the software works, the discovery daemon (pkg:open-isns-discoveryd) and the server itself (pkg:open-isns-server) will indeed ask debconf questions on installation and removal. That said: if you have any ideas how to handle that without debconf questions, I'd be open to hearing that. (In Debian we're now at the beginning of the next release cycle, so it'd be no problem at all to change the behavior.)

Regards,
Christian

Nish Aravamudan (nacc) wrote :

On 21.06.2017 [04:32:18 -0000], Christian Seiler wrote:
> Hi,
>
> I'm one of the Debian Maintainers of open-isns and I just saw this bug
> here because I saw the upstream pull request for the fixes to the test
> suite. First of all: thanks for improving the package. The main reason
> I've packaged that is because it was split out of open-iscsi, and I'm
> not really a user of iSNS itself.

Of course! To be honest, neither am I, beyond knowing what the
technology is supposed to do :)

> I would like to keep any diff between Debian and Ubuntu to a minimum -

100% on board. To be clear, my next step once I get the change into
Ubuntu was an immediate submittodebian (and also why I sent it upstream
first, I'm hoping I can prod Lee to do a new release with the passing
test suite).

> ideally there'd be no diff at all. I'd also be happy to include any
> Ubuntu-specific changes in the upstream Debian package. The upstream
> test suite you've added to DEP-8 appears to be something that would also
> be useful to run in Debian. If it's OK with you I'd like to review the
> changes you made in this regard and include them in the Debian package
> itself.

Yep, absolutely! Like I said above, that was my plan as well. I see no
benefit to Ubuntu running tests that Debian doesn't :)

> Apart from that: a short comment on what you wrote in the "Quality
> Assurance" part of this report:
>
> > * No debconf questions are asked during installation.
>
> This is not entirely true: no debconf questions are asked when
> installing the library packages themselves in the current Debian

You are right, I should have made that more clear. The only binary
packages that need to be in main for this MIR are: libisns-dev
libisns-nocrypto0-udeb libisns0 as documented at
http://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.
The open-isns daemon/server packages will continue to live in universe.

> package, but because how the software works, the discovery daemon (pkg
> :open-isns-discoveryd) and the server itself (pkg:open-isns-server) will
> indeed ask debconf questions on installation and removal. That said: if
> you have any ideas how to handle that without debconf questions, I'd be
> open to hearing that. (In Debian we're now at the beginning of the next
> release cycle, so it'd be no problem at all to change the behavior.)

I'm happy to take a look at this, though! I'll put it on my backlog to
look at this cycle :)

Emily Ratliff (emilyr) wrote :

Since this code was in main as part of the open-iscsi package in xenial, the security team is going to ack it without requiring a full review.

Changed in open-isns (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Mathieu Trudel-Lapierre (cyphermox)

There's some work being done to include the tests in DEP-8 or otherwise, so I think we're good to move open-isns to main now; MIR approved.

Changed in open-isns (Ubuntu):
status: New → Fix Committed
milestone: ubuntu-17.05 → ubuntu-17.07
Matthias Klose (doko) wrote :

promoted

Changed in open-isns (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers