Review for Source Package: pappl-retrofit [Summary] pappl-retrofit is a wrapper around pappl and cups to turn legacy printer drivers into driver applications, usable in the snap world and elsewhere. The software still seems to be in its early stages, with only beta versions released and plenty of remarks during the review. MIR team NACK (Sorry, this doesn't feel ready for prime-time, yet. We can revisit at a later point in time.) This does need a security review. List of specific binary packages to be promoted to main: legacy-printer-app, libpappl-retrofit Specific binary packages built, but NOT to be promoted to main: None Notes: #0: This runs a daemon as root (without any systemd hardening) and opens a port for a web interface, therefore I'm requesting security review. Required TODOs: - Please explain the FTBFS in a local Mantic sbuild chroot - Please add (non-superficial) build-time (unit tests) and autopkgtests (integration tests) => We're the upstream, so this would be beneficial in multiple ways. - Please consider some security hardening/isolation for the systemd service, or give reason of why it doesn't make sense in this case (see https://github.com/canonical/ubuntu-mir/pull/36) - Provide a stable (non-beta) version, or explain the rationale for shipping beta software Recommended TODOs: - The package should get a team bug subscriber before being promoted [done] - Consider improving the debian/watch file for beta versions - Please explain the plan (if any) for packaging this in Debian - Consider fixing some of the Lintian output listed below - Consider improving the symbols file with some proper version (maybe a after we have a non-beta release) - Consider fixing some of the build-time warnings listed below - Please explain the translation situation in more detail. How can the web-interface be reached? How will it be translated? [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - SRCPKG checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: - static linking/library: /usr/lib/x86_64-linux-gnu/libpappl-retrofit.a But just as part of the -dev package, which should be fined. [Security] OK: - history of CVEs does not look concerning - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. => It's parsing some printer driver data, but those are considered trusted. - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - does run a daemon as root: /usr/sbin/legacy-printer-app (legacy-printer-app.service) - does expose external endpoint (port/socket/... or similar) [Common blockers] OK: - This does not need special HW for build or test - no new python2 dependency - Not a Python package - Not a Go package Problems: - does not have a test suite that runs at build time - does not have a non-trivial test suite that runs as autopkgtest => Only "superficial" tests. - FTBFS on Mantic sbuild: dh_install dh_install: warning: Cannot find (any matches for) "lib/systemd/system/legacy-printer-app.service" (tried in ., debian/tmp) dh_install: warning: legacy-printer-app missing files: lib/systemd/system/legacy-printer-app.service dh_install: error: missing files, aborting make: *** [debian/rules:6: binary] Error 25 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 [Packaging red flags] OK: - Upstream update history is good (only two "beta" versions so far) - Debian/Ubuntu update history is good - promoting this does not seem to cause issues for MOTUs that so far maintained the package - debian/rules is rather clean - It is not on the lto-disabled list Problems: - debian/watch is present and looks ok But "uscan --download-current-version" doesn't work due to the ~beta version - Ubuntu does carry a delta (not packaged in Debian), but maintenance under control => probably not needed in Debian (non-snappy?) - symbols tracking is in place, but .symbols file looks funny, declaring beta-version symbols => Should probably be cleaned up - the current release is packaged, but "only" a beta release - some Lintian warnings (lintian -EvIL +pedantic *.dsc *.deb): W: libpappl-retrofit1: symbols-file-contains-debian-revision on symbol _PRCUPSDeviceUserData@Base and 70 others (libpappl-retrofit.so.1) [symbols] I: pappl-retrofit source: out-of-date-standards-version 4.6.1 (released 2022-05-11) (current is 4.6.2) I: pappl-retrofit source: quilt-patch-missing-description [debian/patches/add-include-cups-sidechannel-h.patch] I: pappl-retrofit source: quilt-patch-missing-description [debian/patches/legacy-printer-app-man-page.patch] I: pappl-retrofit source: superficial-tests [debian/tests/control] I: legacy-printer-app: systemd-service-file-missing-documentation-key [lib/systemd/system/legacy-printer-app.service] X: legacy-printer-app: systemd-service-file-missing-hardening-features [lib/systemd/system/legacy-printer-app.service] [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* Problems: - provides a web interface as part of the UI, no .desktop file - No translation present for the web interface - Errors/warnings during the build: FTBFS on Mantic sbuild, locally + configure.ac:60: warning: The macro `AC_PROG_LIBTOOL' is obsolete. + Makefile.am:181: warning: AM_GNU_GETTEXT used but 'po' not in SUBDIRS + pappl-retrofit/cups-backends.c:592:63: warning: pointer ‘device_543’ used after ‘free’ + pappl-retrofit/web-interface.c:41:19: warning: ‘j’ may be used uninitialized