[MIR] Promote puma to main as a pcs dependency
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puma (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package puma is already in Ubuntu universe.
The package puma build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, s390x, riscv64
Link to package [[https:/
[Rationale]
The package puma is required in Ubuntu main for pcs promotion (LP: #1953341).
Ideally, we expect that puma (and pcs) will be promoted in the "L" development cycle. The idea is to promote only the puma binary.
[Security]
Required links:
https:/
12 CVEs are found. Since this package in universe, most of those CVEs are not fixed in Ubuntu:
https:/
Searching for "site:www.
https:/
which is actually an issue in action pack (rails).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs.
Packages does not open privileged ports (ports < 1024).
Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...).
[Quality assurance - function/usage]
The package works well right after install.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https:/
- Debian https:/
The package needs an update in Ubuntu and it will solved really soon.
The package does not deal with exotic hardware we cannot support.
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail, link to build log:
The package runs an autopkgtest, and is currently passing on
this list of architectures: amd64, arm64, armhf, ppc64el.
Link to test logs:
https:/
The package does have not failing autopkgtests right now, but s390x where we have some failures due to ruby 3.1 transition, tests run against ruby 3.0 fails.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field.
Output of `lintian --pedantic` against the source package present in lunar:
W: puma source: unknown-field Ruby-Versions
P: puma source: maintainer-
P: puma source: maintainer-
P: puma source: renamed-tag debian-
P: puma source: spelling-
P: puma source: trailing-whitespace [debian/
P: puma source: update-
P: puma source: very-long-
P: puma source: very-long-
P: puma source: very-long-
P: puma source: very-long-
Lintian overrides are present:
$ cat debian/
# this is one of several sub-directories; no need to rename it
repeated-
The reason is mentioned in the comment.
This package does not rely on obsolete or about to be demoted packages.
The package will not be installed by default.
Packaging and build is easy, link to d/rules:
https:/
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
It also requires ruby-nio4r as a runtime dependency:
- ruby-nio4r MIR bug: https:/
[Standards compliance]
This package correctly follows FHS and Debian Policy.
[Maintenance/Owner]
Owning Team will be Server.
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package has been built in the archive more recently than the last
test rebuild.
[Background information]
The Package description explains the package well.
Upstream Name is: puma.
Link to upstream project: https:/
CVE References
description: | updated |
Changed in puma (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
tags: | added: sec-1675 |
Review for Package: src:puma
[Summary]
puma is a HTTP1.1 server suited for ruby integration (like with pcs).
It seems to be the most popular and production ready alternative,
besides ruby-webrick and thin. Being a web server this is very security
sensitive and has seen many CVEs in the past. Also, the server team
already maintains ruby-webrick in main, which we should get demoted
in the future. The packaging of puma should be updated to the new 6.x
upstream release.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: puma
Specific binary packages built, but NOT to be promoted to main: <None>
Notes:
#0 The server team should formulate a plan of how to migrate
from ruby-webrick to puma for its currently supported packages
so we can demote ruby-webrick in the future (or comment on why
this isn't possible)
Required TODOs:
#1 merge new major upstream release 6.x (at least I'd like to see a
merge from Debian experimental, ideally even the very recent 6.1
upstream release), hopefully before feature freeze
#2 get ruby-nio4r promoted (LP: #2006464)
Recommended TODOs: dependencies to puma?
#3 The package should get a team bug subscriber before being promoted
#4 both ruby-webrick and puma will be owned by the Server team.
puma seems to be superior, can we forumlate a plan of demoting
ruby-webrick and migrating its reverse-
#5 fix OpenSSL deprecation warnings in mini_ssl.c (upstream)
#6 improve flaky test situation
(especially if it can lead to FTBFS, see Debian bugs below)
#7 improve on some lintian hints (see below)
#8 keep on improving and resolving the s390x test situation
[Duplication] /www.ruby- toolbox. com/categories/ web_servers
Problems: There is ruby-webrick in main providing the same functionality.
ruby-webrick seems to be more of a demo/development server, whereas puma seems
to be the much better and more popular choice for production use cases:
https:/
There are also other HTTP servers in main, like apache. Please see the /bugs.launchpad .net/ubuntu/ +source/ thin/+bug/ 1990582/ comments/ 1
discussion in the (deprecated) "thin" MIR for why we won't consider them
duplicates for this use case (the same arguments still hold):
https:/
Other suspicious packages check (not in main, but ruby-webrick): http,ruby- faye-websocket, ruby-ftw, puma,thin, ruby-webrick, thin}
rmadison -c main {ruby-async-
ruby-webrick | 1.7.0-3 | jammy-updates | source, all
ruby-webrick | 1.7.0-3 | kinetic | source, all
ruby-webrick | 1.7.0-4 | lunar | source, all
ruby-webrick | 1.8.1-1 | lunar-proposed | source, all
[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- other Dependencies to MIR due to this: ruby-nio4r (LP: #2006464)
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints ...