[MIR] openscap

FYI, snapcraft can build from universe just fine. I suspect what you are seeking is official support so openscap can get security support, therefore USNs, therefore cvescan can get snap USN notifications. In terms of an existing stable release, IIRC it is not possible to adjust the override for something in the release pocket, but that is ok: if this is approved then with the first upload to -security we can adjust the override for that source and binary (we could do the same for an SRU to -updates). In terms of the snap USN service, it doesn't care where the package resides; it just cares that there is a USN.

As for which release, cvescan could certainly be ported to 'base: core20', but as of today, core20 is not released yet (there are snaps, but UC20 (and therefore the core20 snap) hasn't been declared officially released yet, so it probably makes sense to hold off on porting. That said, since it doesn't seem like there are any open CVEs yet so I suggest proceeding with this MIR with groovy and focal in mind and porting later. If you still need core18, I then suggest also going back to bionic.

so apparently this package was ftbfs, now fixed by rbalint. Please could you confirm that the package is in the working state?

the oscap from libopenscap8 in groovy proposed runs our a sample of our OVAL files without any problems

[Summary]
MIR Team ack to promote liboepnscap8 and the source (will auto-promote libopensacp-dev).
There are a few suggestions to improve the package (see below), if (ever) more of the package shall be promoted those are s/optional/required/ then.
This does need a security review, so I'll assign ubuntu-security

TODO:
- Please work on converting python-openscap to python3 (not gating the promotion).
- given the low quality (many open issues) this might cause quite some work, so be suer that you want to own this in Ubuntu
- please consider adding symbols tracking
- how about bumping at least groovy to the latest much newer version 1.3.3?
- new -dbg style?
- adopt debhelper >9

There are no massive differences between the releases. So the request to promote in older releases should be ok if the release and SRU team agrees.
I'm sure the archive admins will know if that is allowed.
Bionic: 1.2.15-1ubuntu0.1
Focal: 1.2.16-2ubuntu3
-dev: 1.2.16-2ubuntu5

[Duplication]
There is no other package in main providing the same functionality for SCAP definitions.

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
  The one that is packages has no odd dependencies, so no exclusion needed

Problems:
- other Dependencies to MIR due to this
  - most dependencies are in main already, except one concerning bit
    python-openscap is pure python2
=> That means:
  - you can't promote that binary in >=Focal, do you need it?
    You wrote that you need "libopenscap8" so that might be ok for you
  - Never the less to be safer you should consider working on getting
    it a python3-openscap and drop python-openscap

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
  There is src:openscap-daemon, but no one depends on it
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
  TBH that depends on the user of the lib
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
 - does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats

A quick security review on the data parsing bits of the lib would be good, just so it isn't obviously running into classic parsing/buffer issues and such.
Given that it is from a security background one would hope it is fine, but a quick check can't hurt.

[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber (ubuntu-security)
- no translation present, but none needed for this case (user visible)?
- Python package that is using dh_python
- Not a Go package that uses dh-golang

Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
- new python2 dependency

This matches your report of an overall low-medium quality.
You will have to own it once promoted and have to be clear to work on all these issues when affecting Ubuntu users.

[Packaging red flags]
OK:
- d/watch is present and looks ok
- Upstream update history is ok, but slow
- Debian/Ubuntu updat...

Just FYI, the newer 1.3 branch has a lot of fixes related to Debian-based distributions, including the test suite, dpkg probe and others. Moreover, this branch is now gated in upstream CI against the latest Ubuntu.

We (OpenSCAP team) tried to contact Debian's maintainer regarding the package upgrade, but there was no response so far.

Evgeny, thanks for the comment. Ideally the Debian maintainer would bring in the new version, but we can leapfrog them if necessary.

Thanks

The MIR text in comment #0 has been updated.

lunar was updated and currently running the latest upstream version (1.3.7+dfsg-1)

@paelzer, is the MIR Team's ACK still valid or does this need a fresh review?

Python2 has been replaced by Python3, but a deprecated version of pcre is being used. Maintainership burden of this package on Security appears high. Security already supports OVAL data for OpenSCAP and should officially maintain the package.

Hi @eslerm
Even being a burden it at least has gotten better than it was (-> pytohn3) and others stayed as-is (use of pcre3 over the newer pcre2).

To be clear, we have no great process or track record of re-evaluating all that already is in main.
Recent additions are much more checked than some added a decade ago :-/
But when asked to re-visit openscap the changes to it would not appear to me as removing the former Ack.

Hi there!

The PCRE -> PCRE2 migration is planned for the near future as all
distros are dropping the first version. Next release probably. The
problem with it is that it changes the behaviour of some expressions
and we have to identify all the places where it could break the
content.

Is there anything else that is cumbersome to maintain?

Also, friendly reminder: patches are welcome upstream (if you have any).

Thanks @paelzer and @evgenyz

I am approaching this MIR from two perspective. Immediately, I am working through the normal MIR security process. Long term I am making notes for how the Security Team can support OpenSCAP. Being on the Ubuntu Security Team, I intend to treat this package the same as if it were sponsored by any other team out of fairness

Nothing is unreasonably cumbersome to maintain this package, but the owning team will likely have many updates to make. If serious feature changes are released in new versions (like PCRE2), my team may make a SRU request.

Very glad to hear about PCRE2 \o/

Setting MIR to incomplete.

There are many open security issues in bug tracker. Shell scripts are likely dangerous. Owning team is aware of this and in contact with upstream.

Before continuing MIR, owning team needs to commit to addressing issues or find an alternative.