[MIR] u-boot-menu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
u-boot-menu (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
In universe.
[Rationale]
Devices that have u-boot (such as HiFive SiFive boards in their onboard SPI flash) can discover and use extlinux/
This is similar to `update-grub` functionality for the grub based bootloaders that find all the kernels and generate `Ubuntu` menuentry.
It is a trivial shell script, that is maintained as a Debian native package to automatically integrated with kernel postinst scripts to generate said config file automatically upon kernel installs.
Thus this package is intended to be seeded on the uboot based preinstalled ubuntu-server images such as riscv64 one.
[Security]
Faily minimal shell script, with an optional configuration file (for overrides, unused by default) that is executed as root as part of kernel postinst machinery.
[Quality assurance]
Maintained in Debian, and in Ubuntu by Foundations Team.
[Dependencies]
It's fairly freestanding, depends on linux-base only. As bootloader is expected to be provided externally which will discover, parse, and use the conf file this package generates in /boot.
[Standards compliance]
Adheres to the Debian Policy.
[Maintenance]
[Background information]
In use on riscv64 ubuntu-cpc cloud-images & preinstalled ubuntu-server.
Changed in u-boot-menu (Ubuntu): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in u-boot-menu (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
[Summary]
This is a small package that provides only a bash script and some
kernel postinst/prerm hooks.
There are no concerning problems with the package, so ACK from MIR team.
As this script deals with configuration of the boot-time menu, and thus
affects code started at boot time, this does need a security review,
so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: u-boot-menu
Notes:
There are 2 identified issues (aside from needing security review),
as listed in the details below, but I don't feel either are
important enough to block MIR:
1. There is no build-time or autopkgtest test cases, but this is a
single simple script.
2. The Ubuntu devel version lags behind Debian but only by a single
minor version.
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- no CVEs found
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does involve control of boot
[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber
- no translation present, but none needed for this case
- not a python/go package, no extra constraints to consider int hat regard
Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch not applicable, native package
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- Not Go Package
Problems:
- the current release is not packaged in hirsute, but 1 minor version behind
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks