[MIR] provd

Bug #2067373 reported by Sebastien Bacher
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
provd (Ubuntu)
New
Undecided
Ubuntu Security Team

Bug Description

[Availability]
- The package provd is already in Ubuntu universe.
- The package provd build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/provd

[Rationale]
- The package provd is required in Ubuntu main for our new 'initial setup' desktop experience
- Package provd covers the same use case as gnome-initial-setup and oem-config, but is better
  because it's more consistent with the rest of our provisioning flow. It also allows us to
  implement ubuntu specific functionalities like Ubuntu Pro integration without having
  to distro patch diverge an upstream project, thereby we want to replace it.
  The provd package is the backend side implementation, the UI is provided by the
  ubuntu-desktop-init snap (flutter frontend)
- We will demote gnome-initial-setup and ubiquity/oem-config as a result
- The binary package provd needs to be in main as it will provide the backend used
  but the Ubuntu Desktop initial setup GUI.

- The package provd is required in Ubuntu main no later than August 15th (oracular feature freeze)

[Security]
- No CVEs/security issues in this software in the past (which is to be expected since it's a new codebase made for Ubuntu which hasn't been used yet)

- it provides `/usr/libexec/sprovd` which is a `suid` binary used to do issue 'pro attach'
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Ubuntu as a Canonical project. It has currently no open bug on launchpad and a few non-major ones on github. The package is not in Debian since it's an Ubuntu specific component.
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/provd/+bug
  - Upstream's bug tracker, https://github.com/canonical/ubuntu-desktop-provision/issues?q=is%3Aissue+is%3Aopen+provd
- The package has currently no important open bugs reported
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log https://launchpadlibrarian.net/724240568/buildlog_ubuntu-noble-amd64.provd_0.1.2_BUILDING.txt.gz

- The package runs an autopkgtest, and is currently passing on
  amd64 arm64 armhf ppc64el riscv64 s390x, link to test logs https://autopkgtest.ubuntu.com/packages/p/provd

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is not present because it is a native package

- debian/control defines Ubuntu Developers as Maintainer

- This package does only has minor lintian warnings

- Please link to a recent build log of the package https://launchpadlibrarian.net/724240568/buildlog_ubuntu-noble-amd64.provd_0.1.2_BUILDING.txt.gz
- `lintian --pedantic` log

# lintian --pedantic provd_0.1.2_amd64.changes
E: provd source: mail-address-loops-or-bounces Maintainer <email address hidden>
E: provd: mail-address-loops-or-bounces Maintainer <email address hidden>
E: provd-dbgsym: mail-address-loops-or-bounces Maintainer <email address hidden>
E: provd changes: mail-address-loops-or-bounces Maintainer <email address hidden>
W: provd: debian-changelog-has-wrong-day-of-week 2024-04-11 was a Thursday [usr/share/doc/provd/changelog.gz:1]
W: provd source: no-nmu-in-changelog [debian/changelog:1]
W: provd source: source-nmu-has-incorrect-version-number 0.1.2 [debian/changelog:1]

Those are noise or infra issues

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions

- Packaging and build is easy, link to debian/rules https://github.com/canonical/ubuntu-desktop-provision/blob/main/provd/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be desktop-packages and I have their acknowledgement for that commitment
- The future owning team is already subscribed to the package

- This does not use static builds

TODO: - This package uses vendored go code tracked in go.sum as shipped in the
TODO: package, refreshing that code is outlined in debian/README.source

- This package is not rust based

- The package has been built in the archive more recently than the last test rebuild

[Background information]
The Package description explains the package well
Upstream Name is ubuntu-desktop-provision (it's one repository with different components)
Link to upstream project https://github.com/canonical/ubuntu-desktop-provision/tree/main/provd

Tags: sec-4374
Changed in provd (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote :
Download full text (7.9 KiB)

Review for Source Package: provd

[Summary]
This is the backend for Ubuntu "initial setup" provisioning story for Desktop
systems, similar to gnome-initial-setup, but enhanced by Ubuntu Pro components
and others. It's a relatively new Ubuntu native package, supposed to replace
"gnome-initial-setup" and "oem-config" in main.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: provd
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 Generic questions
#0.a Why not ship this as part of the "ubuntu-desktop-init" snap?
     (i.e. together with its frontend)
#0.b Could you please briefly differentiate this tool from cloud-init,
     which is also used as part of the new Desktop installer?
#1 team bug subscriber ~desktop-packages is already subscribed

Required TODOs:
#2 Dependency on "gnome-initial-setup" needs to be dropped
#3 "gnome-initial-setup" & "oem-config" need to be demoted
#4 Improve Go packaging, I'm not an expert here, but I think we should at least have an "Built-Using" in debian/control, to indicate the toolchain that was used to build this
#5 Add files (debian/README.source) that explains how to refresh the vendored sources
#5.a Please give rational why all the vendoring is needed (c.f. recommendation #6)

Recommended TODOs:
#6 Consider using more "golang-*-dev" packages from the archive where possible, indicated by "Static-Built-Using" in debian/control to avoid some vendoring
#7 Consider using more mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...), especially setting suid via systemd
#8 Consider running more complex integration tests as autopkgtest (e.g. integration with the ubuntu-desktop-init" snap), in addition to the "go test" unit-tests.
#9 Consider fixing some of the lintian warnings (see "Packaging red flags" below)
#10 Consider fixing some of the build-time warnings (see "Upstream red flags" below)

[Rationale, Duplication and Ownership]
- A team is committed to own long term maintenance of this package. (~desktop-packages)
- The rationale given in the report seems valid and useful for Ubuntu

Problems:
- Depends on gnome-initial-setup
- There are other package in main providing the same functionality.
  => gnome-initial-setup and ubiquity/oem-config (to be demoted)
  => cloud-init (used in desktop-installer) – please differentiate

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
Problems:
- embedded source present
- static linking
- lacking [S...

Read more...

Changed in provd (Ubuntu):
assignee: Lukas Märdian (slyon) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Lukas Märdian (slyon) wrote :

There are several MIR TODOs for the desktop team in comment #1, but I'm already assigning it to the security team, as I think both topics can be worked on in parallel.

tags: added: sec-4374
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.