Comment 4 for bug 1892559

Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

[Summary]
From the MIR POV the package is mostly ok. The overall topic of smartcard
usage will need some QA testing to be supportable. Only a bit can be done
in autopkgtest due to the special HW requirements but it would be worth to
try that as well as setting up a test lab with the most common respective HW.

This does need a security review, so I'll assign ubuntu-security

Binaries to promote: libccid

TODOs:

Recommended:
- Tests:
  - Special HW - In general and I guess this is true for all packages here.
    Canonical should get a set of the common (=the want to be supported) devices
    and document those somewhere to make it clear what is regularly tested /
    supported vs what is on "hopefully it works" level.
  - Also please try at least if with vsmartcard-vpicc + vsmartcard-vpcd some
    autopkgtest time testing could be added to some of these packages.
    (I'm not going to repeat this request on all reviews, but overall it is
    important for QA on such a new topic.)
- Add symbols tracking (this is a bit vice versa, it is a lib providing a driver
  to be used in ps/sc, but still auto-detect if things change is good)

Required:
- Please subscribe to the package (usually good to be done now already)

[Duplication]
libccid is used to communicate though PC/SC (also on this MIR) with smart cards.
https://wiki.debian.org/Smartcards holds a nice overview, there are a bunch
of special drivers in other packages (not part of this MIR), but ccid covers
the majority of devices listed.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (libc6, libusb-1.0-0)
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does parse data formats
  The ccid protocol - if ever exploited - would be a very great angle of attack
- does deal with system authentication (eg, pam), etc)
  Smartcards can and commonly are used to do auth
- This will need a security review on top of the MIR review

[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider int hat regard

Problems:
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
=> Tests of special HW are hard at build time anyway, but a bit more than
nothing would be great. I suggested an overall test with a set of
meant to be supported cards exercising all the components of this MIR.

- The package has a team bug subscriber
This needs a Team subscriber still, Desktop was mentioned to be that, but it
isn't yet. From experience this is easy to be forgotten later. Also subscribing
now will help to see the influx of bugs on the topic and therefore help to be
sure if you want to own this.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good (regular and only stable updates)
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Problems:
- symbols tracking is not place

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks