[Summary]
As swtpm this seems generally well packaged, and already has plenty of users.
It needs a bit polishing here and there but seems close to be promotable.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: libtpms0
Recommended TODOs:
- Right now it has no autopkgtest, maybe - like swtpm this could at least run
the build time tests to spot things as early as dependency-update instead of
"on the next rebuild"?
- The package should get a team bug subscriber before being promoted
[Duplication]
There are the tpm2-tss related packages, but those are for consumption of
real (or emulated) TPMs. No other package in main providing the same
functionality of emulating/mocking/faking a TPM in software.
[Dependencies]
OK:
- no other Dependencies to MIR due to this (just libc and ssl)
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the built reverse-depends are in universe
- no -dev/-debug/-doc packages that need exclusion (-dev exists but has no
aggressive deps that would be a problem)
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does parse data formats
- does deal with security attestation (secure boot, tpm, signatures)
- history of CVEs does look concerning
- Also the intended use case just yells "this needs a seucrity review"
[Common blockers]
OK:
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- additional testing by usage in swtpm and its tests is indirectly existing
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking is in place (debian/libtpms0.symbols)
- d/watch is present and looks ok
- Upstream update history is regular and good
- Debian/Ubuntu update history is slightly slow, but ok (only exists since G)
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
[Upstream red flags]
OK:
- no Errors/warnings during the build (a few -Wreturn-local-addr, nothing severe)
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid
- use of setuid, but ok because <TBD> (prefer systemd to set those
for services)
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case
Review for Package: libtpms
[Summary]
As swtpm this seems generally well packaged, and already has plenty of users.
It needs a bit polishing here and there but seems close to be promotable.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: libtpms0
Required TODOs: /github. com/stefanberge r/libtpms/ releases/ tag/v0. 9.0 /launchpadlibra rian.net/ 557789130/ buildlog_ ubuntu- impish- ppc64el. libtpms_ 0.8.2-1ubuntu1_ BUILDING. txt.gz /github. com/stefanberge r/libtpms/ issues/ 215
- please package the current v0.9
https:/
- Fix the ppc64 FTBFS
https:/
- Track and resolve https:/
to ensure this works well with openssl3.0 in Ubuntu 22.04
Recommended TODOs:
- Right now it has no autopkgtest, maybe - like swtpm this could at least run
the build time tests to spot things as early as dependency-update instead of
"on the next rebuild"?
- The package should get a team bug subscriber before being promoted
[Duplication] mocking/ faking a TPM in software.
There are the tpm2-tss related packages, but those are for consumption of
real (or emulated) TPMs. No other package in main providing the same
functionality of emulating/
[Dependencies]
OK:
- no other Dependencies to MIR due to this (just libc and ssl)
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the built reverse-depends are in universe
- no -dev/-debug/-doc packages that need exclusion (-dev exists but has no
aggressive deps that would be a problem)
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does parse data formats
- does deal with security attestation (secure boot, tpm, signatures)
- history of CVEs does look concerning
- Also the intended use case just yells "this needs a seucrity review"
[Common blockers]
OK:
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- additional testing by usage in swtpm and its tests is indirectly existing
- no new python2 dependency
Problems: /launchpadlibra rian.net/ 557789130/ buildlog_ ubuntu- impish- ppc64el. libtpms_ 0.8.2-1ubuntu1_ BUILDING. txt.gz
- does not have a non-trivial test suite that runs as autopkgtest
- does FTBFS currently (on PPC64)
=> https:/
I do not see why we would not need this on this arch, so for equivalency we
have to fix it before promoting it
[Packaging red flags] libtpms0. symbols)
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking is in place (debian/
- d/watch is present and looks ok
- Upstream update history is regular and good
- Debian/Ubuntu update history is slightly slow, but ok (only exists since G)
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
Problems: /github. com/stefanberge r/libtpms/ releases/ tag/v0. 9.0
- the current release is not packaged
https:/
[Upstream red flags] local-addr, nothing severe)
OK:
- no Errors/warnings during the build (a few -Wreturn-
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid
- use of setuid, but ok because <TBD> (prefer systemd to set those
for services)
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems: /github. com/stefanberge r/libtpms/ issues/ 51 /github. com/stefanberge r/libtpms/ issues/ 215
- important open bugs (crashers, etc) in Debian or Ubuntu
IMHO there is one worthile to track (but no immediate action needed)
FIPS: https:/
But also one, that given we transition to openssl 3.0 we need to track
and resolve:
openssl3: https:/