[MIR] Promote ruby-eventmachine to main as a pcs indirect dependency

Review for Package: ruby-eventmachine

[Summary]
The review is based on the 1.3~pre20220315-df4ab006 version currently
in lunar-proposed.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, but I will not assign to security team yet
until the required TODOs are addressed.
List of specific binary packages to be promoted to main: ruby-eventmachine

Notes:
Required TODOs:
1. Please check what happens with the verisoning of this package.
Ubuntu/debian version is 1.3~pre20220315-df4ab006, however if we look
at the gitlog of the upstream project (https://github.com/eventmachine/eventmachine)
this does not reflect anywhere. Also from here https://rubygems.org/gems/eventmachine/versions,
and here https://rubygems.org/gems/eventmachine the reported latest version is 1.2.7.

The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - ruby-event-machine checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does open a port/socket

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta (patches come from debian)
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good/slow/sporadic
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian wa...

Thanks for the review Ioanna.

Regarding the version string confusion: this is a pre release snapshot, the next upstream release will be 1.3, it was taken at 2022-03-15 and the head commit was df4ab006 (which was made 14th March, one day before the snapshot):

https://github.com/eventmachine/eventmachine/commit/df4ab006

So merging all that we have 1.3~pre20220315-df4ab006-3. I hope the explanation above clarifies everything for you.

Moreover, I'll make sure the server team will be subscribed to the package before its promotion.

Thanks, I tihnk it is enough but Ioanna will have a look.

If it is enough, assign security as they will be next to process it
If it is not enough - tell Lucas what is missing still

Ok, sounds good to me, thanks Lucas.
Moving to security team queue.

I reviewed ruby-eventmachine 1.3~pre20201020-b50c135-5 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> EventMachine is an event-driven I/O and lightweight concurrency library for Ruby. It provides event-driven I/O using the Reactor pattern, much like JBoss Netty, Apache MINA, Python's Twisted, Node.js, libevent and libev.

- CVE History:
  - https://lwn.net/Vulnerabilities/694784/
    - DoS by too many parallel connections
    - https://bugs.mageia.org/show_bug.cgi?id=18988
    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678512
    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696015
  - TEMP-0678512-2E167C
    - "remotely executable crash" of Ruby VM if too many file descriptors used
    - https://security-tracker.debian.org/tracker/TEMP-0678512-2E167C
  - Eventmachine does not verify the identity of a TLS server
    - https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
      - "This has been a requested feature in EventMachine for many years now; see for example #275, #378, and #814. In June 2020, em-http-request published an advisory related to this problem and fixed it by implementing TLS verification in their own codebase"
    - EM::Connection#start_tls creates a non-verified TLS session
    - if verify_peer is set, EM::Connection#ssl_verify_peer will accept a method _from the caller_ to verify the peer
    - https://github.com/eventmachine/eventmachine/issues/814
    - six downstream projects were assigned CVEs in 2020 for MITM attacks
- Build-Depends?
  - lunar main
     - debhelper-compat (debhelper)
     - iproute2
     - libssl-dev
     - rake
  - lunar universe
     - gem2deb
     - ruby-rspec
     - rake-compiler
     - ruby-test-unit
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - contains build tests
    - logs state that the SSLv3 test_any_to_v3 is supposed to fail
  - has autopkgtests
  - autopkgtests fails for focal and earlier
    - Debian/Ubuntu's Ruby 2.7 may be linking to the wrong malloc
      - https://github.com/eventmachine/eventmachine/issues/965
      - https://bugs.ruby-lang.org/issues/18650
- cron jobs?
  - none
- Build logs:
  - many unused result build warnings
  - deprecated ssl build warnings

- Processes spawned?
  - EM::popen
    - see t_invoke_popen(), evma_popen, and EventMachine_t::Socketpair which ultimately calls execvp()
    - calls to this function should not use untrusted data
    - open bug from 2010: "Ability to close write stream from EM.popen handler #87"
      - https://github.com/eventmachine/eventmachine/issues/87
    - "EM::system is a simple wrapper for EM::popen. It is similar to Kernel::system, but requires a single string argument for the command and performs no shell expansion."
    - EM::DeferrableChildProcess is another EM::popen wrapper
    - grep for `EventMachine.popen`, `EM.popen`, `EM.DeferrableChildProcess`, etc or similar in downstream projects
    - com...

    - Debian/Ubuntu's Ruby 2.7 may be linking to the wrong malloc
      - https://github.com/eventmachine/eventmachine/issues/965
      - https://bugs.ruby-lang.org/issues/18650

This ^ is not a problem since in lunar (where we want to promote it) we have ruby 3.0 and we are transitioning to ruby 3.1.

pcs is replacing thin (which depends on ruby-eventmachine) with puma https://github.com/ClusterLabs/pcs/pull/632

Removing Ubuntu Security Team assignment until there is a new need to complete this MIR.