[mir] seed

Bug #782972 reported by Jeremy Bicha on 2011-05-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
seed (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: seed

1. Availability - already packaged & builds in Ubuntu universe & Debian stable

2. Rationale - Seed is a library, bringing the WebKit JS engine to Gnome. It is a dependency of epiphany-browser and libpeas (itself a dependency of eog, gedit, & totem), thus blocking the Gnome 3 transition.

3. Security - Part of GNOME. There are no known security bugs:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libseed
A search for seed reveals several bugs, but none appear to apply to this package

4. QA -
https://bugs.launchpad.net/ubuntu/+source/seed
http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=seed
https://bugzilla.gnome.org/buglist.cgi?quicksearch=product%3A%22seed%22
Gnome has one old critical bug for seed:
https://bugzilla.gnome.org/show_bug.cgi?id=599025

5. UI - This library is translatable using intltool

6. Dependencies: https://bazaar.launchpad.net/+branch/ubuntu/seed/view/head:/debian/control
All dependencies are already in main

7. Standards compliant 3.8.4

8. Maintenance - We are currently in sync with Debian

9. Background information
https://live.gnome.org/Seed
An earlier MIR for seed was filed as bug 491270 but wasn't needed at the time

ProblemType: BugDistroRelease: Ubuntu 11.10
Package: seed 3.0.0-1
ProcVersionSignature: Ubuntu 2.6.39-2.7-generic 2.6.39-rc7
Uname: Linux 2.6.39-2-generic x86_64
Architecture: amd64
Date: Sun May 15 07:01:36 2011InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANGUAGE=en_GB:en
 PATH=(custom, no user)
 LANG=en_GB.utf8
 SHELL=/bin/bashSourcePackage: seed
UpgradeStatus: Upgraded to oneiric on 2011-01-01 (134 days ago)

Revision history for this message
Jeremy Bicha (jbicha) wrote :
description: updated
Revision history for this message
Michael Terry (mterry) wrote :

Package itself looks fine. But passing to security team for a quick review. Handling javascript seems like something that would need a sign off.

Changed in seed (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Michael Terry (mterry) wrote :

Oh, though it has tests that would ideally be run. I'll look into enabling them while security does its thing.

Revision history for this message
Michael Terry (mterry) wrote :

Filed debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626936 about the test suite. It's a bit non-trivial to enable, so I'll not block the MIR on that.

Revision history for this message
Michael Terry (mterry) wrote :

Oh where is my head today. This will need a symbols file for libseed-gtk3. That is a MIR blocker.

Changed in seed (Ubuntu):
status: New → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Yikes, javascript hooked to the desktop. :) There's nothing immediately wrong with the code, but I have to wonder about how security boundaries are going to be enforced, if JS from the browser ever touches JS for the desktop. I would prefer to see documentation similar to the "same origin" policies in browsers for how JS will be used in the Desktop before this package goes into main.

Changed in seed (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

I've emailed the libseed mailing list about your questions. I couldn't find much information on seed security online.

Also, it doesn't need a symbols file, since it has strict "dh_makeshlibs -V" usage, and there's no reason to have the delta if we don't need it.

So the only blocker here is the security issues.

Revision history for this message
Sebastien Bacher (seb128) wrote :

current gedit and eog GNOME3 versions are dep-waiting on this to be sorted, is the issue there blocking promotion and can it be sorted later?

Revision history for this message
Michael Terry (mterry) wrote :

Here are the mailing list answers I got:
http://mail.gnome.org/archives/libseed-list/2011-May/msg00001.html
http://mail.gnome.org/archives/libseed-list/2011-May/msg00003.html

Basically, they say that JS here is 'merely' as powerful as Python. That since you can already do anything you want with Python, JS isn't any worse. They say it only uses the JavaScriptCore portion of webkit and doesn't interact with browser-side JS.

i.e. it's just a language binding for gobject.

That sounds like it answers Kees's concern?

Revision history for this message
Kees Cook (kees) wrote :

Right, it's "just" bindings, but right now browsers don't run Python code. :) I'm fine with this all on principle, but I don't want to see JS crossing from the browser to the desktop without a specific security design. Since there isn't one yet, I'll just make an easy one up: "JavaScript must never be passed from the Browser to the Desktop". We can adjust this when there is something that needs to cross that boundary.

+1

Changed in seed (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Kees Cook (kees) wrote :

This should probably be something like "remotely-served or Browser-handled JavaScript should never be executed by the Desktop". Regardless, without some more specific examples of bad situations, this statement won't be complete.

Revision history for this message
Sebastien Bacher (seb128) wrote :

thanks, it has been promoted in oneiric

Changed in seed (Ubuntu):
importance: Undecided → Wishlist
importance: Wishlist → Undecided
importance: Undecided → Low
status: In Progress → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

there is a depends on gnome-js-common which was overlooked there which made the binaries fail to install, Jeremy do you think you could write the mir for it?

Changed in seed (Ubuntu):
status: Fix Released → Triaged
Revision history for this message
Jeremy Bicha (jbicha) wrote :

mir for gnome-js-common filed as bug 785332

Revision history for this message
Matthias Klose (doko) wrote :

gnome-js-common promoted

Changed in seed (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

was demoted again, and currently ftbfs

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.