Review for Source Package: qrtr [Summary] qrtr is the userspace part for IPC communication with qualcomm processors. It is primarily used on mobile phones, but can also be relevant for ARM based laptops, such as the Lenovo X13s. MIR team ACK (pending security-team ACK), with some suggested Recommended TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: libqrtr1, qrtr-tools Specific binary packages built, but NOT to be promoted to main: None Notes: #0 requesting security review, because it's running a service as root, opening controll sockets, parsing protocol packages and having no hardening features enabled. #1 This is needed for hardware enablement, no automatic testing can be provided, but the hardware is available and a test case described in the ISO tracker. Required TODOs: - None Recommended TODOs: #2 The package should get a team bug subscriber before being promoted #3 Enablement of isolation/hardening features should be considered (e.g. as part of the systemd service) #4 Adding (hardware independent) smoke tests during build-/autopkgtests should be considered, at least making sure the library can be compiled and loaded correctly #5 Consider helping out uptream with adding documentation/man pages #6 Consider supporting the Debian maintainer with more timely package updates after (rare) upstream releases are cut. #7 Consider putting a condition into the systemd service, to make it run only when relevant hardware is detected [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality. A team is committed to own long term maintenance of this package. The rationale given in the report seems valid and useful for Ubuntu [Dependencies] OK: - no other Dependencies to MIR due to this - src:qrtr checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - history of CVEs does not look concerning - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - does run a daemon as root - doesn't make appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) - does parse data formats (QIPCRTR network packets, QMI structures, ...) from an untrusted source (userland). - does expose any external endpoint (port/socket/... or similar) [Common blockers] OK: - does not FTBFS currently - This does seem to need special HW for build or test so it can't be automatic at build or autopkgtest time. But as outlined by the requester in [Quality assurance - testing] there: - is hardware (Lenovo X13s) and a test plan or code (kernel & foundations, http://iso.qa.ubuntu.com/qatracker/milestones/449/builds/288343/testcases) - is community support to test this for Ubuntu - no new python2 dependency - not a Python package - not a Go package Problems: - does not have a test suite that runs at build time - does not have a non-trivial test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place. - debian/watch is present and looks ok (if needed, e.g. non-native) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: - Upstream update history is sporadic - Debian/Ubuntu update history is slow - some lintian warnings: W: qrtr-tools: no-manual-page [usr/bin/qrtr-{cfg,lookup,ns}] X: qrtr-tools: systemd-service-file-missing-hardening-features [lib/systemd/system/qrtr-ns.service] [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid / setgid - no dependency on webkit, qtwebkit, seed or libgoa-* - no important open bugs (crashers, etc) in Debian or Ubuntu - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: None