Ubuntu
sysprof package

[MIR] sysprof

Bug #2066269 reported by Jeremy Bícha
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sysprof (Ubuntu)
New
Undecided
Ubuntu Security Team

Bug Description

[Availability]
The package sysprof is already in Ubuntu universe.
The package sysprof build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures.
Link to package https://launchpad.net/ubuntu/+source/sysprof

[Rationale]
- The package sysprof is required in Ubuntu main
- The package sysprof will not generally be useful for a large part of our user base, but is important/helpful still because it is part of an Ubuntu initiative to focus on performance engineering, both for Ubuntu itself and for developers who build their projects on top of Ubuntu. The size of the sysprof app is fairly small and we envision sysprof as the latest of the small utilities that are included in a default Ubuntu desktop. (Disk Usage Analyzer [baobab] is another one of these utilities.)
+ Related to https://ubuntu.com/blog/ubuntu-performance-engineering-with-frame-pointers-by-default
- There is no other/better way to solve this that is already in main or should go universe->main instead of this.
- The package sysprof is required in Ubuntu main no later than August 15 due to a Ubuntu Desktop goal of including sysprof in the default 24.10 install.
- The binary package sysprof needs to be in main to achieve the goal of providing a GUI performance profiling tool (command-line tools were included by default in Ubuntu 24.04 LTS, but the Desktop Team and others did not have the capacity to also handle getting sysprof into the default install then.)

[Security]
- No CVEs/security issues in this software in the past
+ https://security-tracker.debian.org/tracker/source-package/sysprof
+ https://ubuntu.com/security/cves?package=sysprof

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
+ /usr/lib/systemd/system/sysprof3.service
+ /usr/libexec/sysprofd
+ /usr/share/dbus-1/system-services/org.gnome.Sysprof3.service

- Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features:
+ App uses /usr/share/polkit-1/actions/org.gnome.sysprof3.policy to gain the elevated permissions it needs to use ptracing in the Linux kernel.
- Package does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Package makes use of ptracing in the Linux kernel because it is required for the system-wide profiling feature that is essential to this app. I recommend Security Team review.

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/sysprof/
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=sysprof
- Upstream https://gitlab.gnome.org/GNOME/sysprof/-/issues
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log
https://launchpad.net/ubuntu/+source/sysprof/46.0-1build1

- The package runs an autopkgtest, and is currently passing on all architectures except for i386
https://autopkgtest.ubuntu.com/packages/sysprof

- We also will do manual testing of the GUI app

https://wiki.ubuntu.com/DesktopTeam/TestPlans/Sysprof

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
https://launchpad.net/ubuntu/+source/sysprof/46.0-1build1
- Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug.
- Lintian overrides are present, but ok because the overrides document why those Lintian warnings should be ignored.

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, link to debian/rules
https://salsa.debian.org/gnome-team/sysprof/-/blob/debian/latest/debian/rules

[UI standards]
- Application is end-user facing, Translation is present, via standard gettext system
- End-user applications that ships a standard conformant desktop file
+ /usr/share/applications/org.gnome.Sysprof.desktop

[Dependencies]
- There are further runtime dependencies that are not yet in main
+ MIR for libdex is at LP: #2066262
+ MIR for libpanel is at LP: #2066272

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Ubuntu Desktop (~desktop-packages) and I have their acknowledgement for that commitment
- The future owning team is not yet subscribed, but will subscribe to the package before promotion

- This does not use static builds
- This does not use vendored code
- This package is not rust based

- The package has been built in the archive more recently than the last test rebuild

[Background information]
- The Package description explains the package well
- Upstream Name is sysprof
- Link to upstream project https://gitlab.gnome.org/GNOME/sysprof

- There is a very large number of overrides in Ubuntu's supported seed to demote library -dev packages to universe to keep libsysprof-capture-4-dev out of main. Those overrides can be dropped once sysprof is allowed into main.

https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/ubuntu/tree/supported

See original description
Jeremy Bícha (jbicha)
description: updated
Changed in sysprof (Ubuntu):
assignee: nobody → Jeremy Bícha (jbicha)
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
Changed in sysprof (Ubuntu):
assignee: Jeremy Bícha (jbicha) → nobody
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Running lintian...
W: sysprof source: newer-standards-version 4.7.0 (current is 4.6.2)
W: sysprof: no-manual-page [usr/bin/sysprof-agent]
I: sysprof: desktop-entry-lacks-keywords-entry [usr/share/applications/org.gnome.Sysprof.desktop]
I: sysprof source: superficial-tests [debian/tests/control]
I: sysprof: systemd-service-file-missing-documentation-key [usr/lib/systemd/system/sysprof3.service]
P: sysprof source: maintainer-manual-page [debian/sysprof-cli.1]
P: sysprof source: maintainer-manual-page [debian/sysprof.1]
P: sysprof source: package-does-not-install-examples [examples/]
N: these are LD_PRELOAD modules, not libraries
O: libsysprof-6-modules: lacks-ldconfig-trigger usr/lib/x86_64-linux-gnu/libsysprof-memory-6.so usr/lib/x86_64-linux-gnu/libsysprof-speedtrack-6.so usr/lib/x86_64-linux-gnu/libsysprof-tracer-6.so
O: libsysprof-6-modules: no-shlibs usr/lib/x86_64-linux-gnu/libsysprof-memory-6.so
O: libsysprof-6-modules: no-shlibs usr/lib/x86_64-linux-gnu/libsysprof-speedtrack-6.so
O: libsysprof-6-modules: no-shlibs usr/lib/x86_64-linux-gnu/libsysprof-tracer-6.so
O: libsysprof-6-modules: no-symbols-control-file usr/lib/x86_64-linux-gnu/libsysprof-memory-6.so
O: libsysprof-6-modules: no-symbols-control-file usr/lib/x86_64-linux-gnu/libsysprof-speedtrack-6.so
O: libsysprof-6-modules: no-symbols-control-file usr/lib/x86_64-linux-gnu/libsysprof-tracer-6.so
O: libsysprof-6-modules: package-name-doesnt-match-sonames libsysprof-memory-6 libsysprof-speedtrack-6 libsysprof-tracer-6
N: sysprofd is D-Bus-activated and does not need to be started during boot.
O: sysprof: systemd-service-file-missing-install-key [usr/lib/systemd/system/sysprof3.service]

description: updated
description: updated
Changed in sysprof (Ubuntu):
status: Incomplete → New
Christian Ehrhardt  (paelzer)
Changed in sysprof (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Sorry it took so long from the assignment last week, finally started on this MIR review.
If I can't complete I'd at least leave you what I found until then so you can act on these.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.6 KiB)

Review for Source Package: sysprof

[Summary]
MIR team ACK

While not the biggest attack surface, it could get crafted external data
which is a common way. Hence IMHO this does need a security review,
I'll assign ubuntu-security.

List of specific binary packages to be promoted to main: sysprof, libsysprof-6-6, libsysprof-6-modules, libsysprof-capture-4-dev, libsysprof-6-dev

Specific binary packages built, but NOT to be promoted to main: n/a

Notes:
Required TODOs:
- none
Recommended TODOs:
- #1 The package should get a team bug subscriber before being promoted
  as you know and already wrote, but as usual that can be done once it
  is supposed to be promoted.

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
  It is augmenting the console use cases of perf, but there is nothing in main
  that has the same workflow and visualization.
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other Dependencies to MIR due to this (libdex and libpanel already filed)
- no -dev/-debug/-doc packages that need exclusion
  - libsysprof-6-dev has dependencies, but they are all in main
  - libsysprof-capture-4-dev only has internal dependencies
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features

Problems:
- Does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source. An explicit use case mentioned is people attaching
  such profiles to bugs.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
  while the tests are superficial, they cover reverse dep failures
- In addition you have already defined [1] which covers for what is left
  like how things "look like".
  [1]: https://wiki.ubuntu.com/DesktopTeam/TestPlans/Sysprof
- The manual test might in the future be automated, but all together are a
  great set of tests and satisfies what we look for as a minimum
- This does not need ...

Read more...

Changed in sysprof (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
Seth Arnold (seth-arnold)
tags: added: sec-4574
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.