Ubuntu
xdg-terminal-exec package

MIR xdg-terminal-exec

Bug #2069308 reported by Nathan Teodosio
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xdg-terminal-exec (Ubuntu)
Confirmed
Undecided
Ubuntu Security Team

Bug Description

[Availability]
The package xdg-terminal-exec is already in Ubuntu universe.
The package xdg-terminal-exec build for the architectures it is designed to work on.
It currently builds and works for architectures: "all"
Link to package https://launchpad.net/ubuntu/+source/xdg-terminal-exec

[Rationale]
- The package xdg-terminal-exec is required in Ubuntu
  main for compliance with the emerging XDG specification,
  https://gitlab.freedesktop.org/terminal-wg/specifications/-/merge_requests/3.
- The package xdg-terminal-exec will generally be useful for a large part of
  our user base
- Package xdg-terminal-exec covers the same use case as x-terminal-emulator,
  but is better because it allows setting the default terminal for a particular
  user (instead of system-wide), and xdg-terminal-exec ought to be configured
  to be the terminal used for .desktop files that set Terminal=true too,
  thereby we want to replace it.
- There is no other/better way to solve this that is already in main or
  should go universe->main instead of this.
- The binary package xdg-terminal-exec needs to be in main to ensure full
  and committed support for such a central piece for the Ubuntu desktop

- It would be great and useful to community/processes to have the
  package xdg-terminal-exec in Ubuntu main, but there is no definitive deadline.

[Security]
- No CVEs/security issues in this software in the past
- No `suid` or `sgid` binaries
- No executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/xdg-terminal-exec/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=xdg-terminal-exec
  - Upstream's bug tracker, e.g., GitHub Issues
    https://github.com/Vladimir-csp/xdg-terminal-exec/issues
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log[1].

- The package runs an autopkgtest, and is currently passing on
  all Ubuntu architectures, link to test logs[2]

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works

- debian/control defines a correct Maintainer field

- This package does not yield massive lintian Warnings, Errors
  Please link to a recent build log of the package[1]
- Please attach the full output you have got from
   `lintian --pedantic` as an extra post to this bug.
- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf
  questions higher than medium

- Packaging and build is easy, link to debian/rules[3]

[UI standards]
- Application is not end-user facing (does not need translation)

- End-user applications without desktop file, not needed because not a desktop application.

[Dependencies]

- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- I suggest the owning team to be the desktop team
- The future owning team is not yet subscribed, but will subscribe to
  the package before promotion

- This does not use static builds

- This does not use vendored code

- This package is not rust based

- The package was rebuilt in Launchpad recently[1].

[Background information]
The Package description explains the package well
Upstream Name is xdg-terminal-exec
Link to upstream project https://github.com/Vladimir-csp/xdg-terminal-exec

https://manpages.debian.org/xdg-terminal-exec

[1] https://launchpadlibrarian.net/734808252/buildlog_ubuntu-oracular-amd64.xdg-terminal-exec_0.10.0-1_BUILDING.txt.gz
[2] https://autopkgtest.ubuntu.com/packages/xdg-terminal-exec
[3] https://salsa.debian.org/freedesktop-team/xdg-terminal-exec/-/raw/debian/master/debian/rules?ref_type=heads

See original description
Tags: sec-4642
Revision history for this message
Nathan Teodosio (nteodosio) wrote : Lintian --pendantic
Nathan Teodosio (nteodosio)
description: updated
Jeremy Bícha (jbicha)
description: updated
description: updated
Lukas Märdian (slyon)
Changed in xdg-terminal-exec (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'm curious if a config change in xdg-utils is all that's needed to get something similar:

$ locate xdg-terminal x/xdg-utils
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.1-1ubuntu1/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.1-1ubuntu1/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.1-1ubuntu1.16.04.5/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.1-1ubuntu1.16.04.5/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.2-1ubuntu2/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.2-1ubuntu2/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.2-1ubuntu2.5/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.2-1ubuntu2.5/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-2ubuntu1/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-2ubuntu1/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-2ubuntu1.20.04.2/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-2ubuntu1.20.04.2/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-4.1ubuntu1/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-4.1ubuntu1/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-4.1ubuntu3/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-4.1ubuntu3/scripts/desc/xdg-terminal.xml
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-4.1ubuntu3~22.04.1/scripts/xdg-terminal.in
/newsrv/trees/ubuntu/main/x/xdg-utils/xdg-utils_1.1.3-4.1ubuntu3~22.04.1/scripts/desc/xdg-terminal.xml

Thanks

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I don't know why but xdg-utils upstream does not install the xdg-terminal script. It is also not listed in the list of tools provided by xdg-utils in the README.md at https://gitlab.freedesktop.org/xdg/xdg-utils

For reference, Fedora does not go out of its way to install xdg-terminal either:
https://koji.fedoraproject.org/koji/rpminfo?rpmID=37977002

glib2.0 does have explicit support for xdg-terminal-exec and Ubuntu Desktop wants to proceed with using xdg-terminal-exec rather than the older xdg-terminal.

https://gitlab.gnome.org/GNOME/glib/-/blob/glib-2-80/gio/gdesktopappinfo.c#L2695

Revision history for this message
Lukas Märdian (slyon) wrote :
Download full text (4.9 KiB)

Review for Source Package: xdg-terminal-exec

[Summary]
xdg-terminal-exec is a generic wrapper around launching a default terminal. That
is on a per-user level, rather than system-wide (think x-terminal-emulator alternative).
It's the reference implementation of Freedesktop's "Default Terminal Execution" [spec],
written in shell script. It has a long history and seems to be well maintained.
There is also "xdg-terminal" upstream implementation, which is not currently packaged
as part of xdg-utils.

[spec] https://gitlab.freedesktop.org/terminal-wg/specifications/-/merge_requests/3

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: xdg-terminal-exec
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 - I'm signing it up for security review because this is a big shell script,
     parsing configs and launching terminals.
Required TODOs:
#1 - Please swap the "xterm | x-terminal-emulator" Depends
     to avoid a false-positive component-mismatch, due to xterm not being in "main"
Recommended TODOs:
#2 - The package should get a team bug subscriber before being promoted
#3 - consider using mitigation features (e.g. apparmor) to restrict the threat vectors
#4 - please try to find out what's the plan for xdg-utils/xdg-terminal, see comment #2
     => do we expect this to be a thing in the future? That would lead to duplication in main,
        as xdg-utils is currently in main.

[Rationale, Duplication and Ownership]
OK:
- A team is committed to own long term maintenance of this package. (~desktop-packages)
- The rationale given in the report seems valid and useful for Ubuntu

Problems:
- There are other packages in main providing the same/similar functionality.
  => x-terminal-emulator (virtual package)
  => xdg-utils/xdg-terminal

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- Please swap the "xterm | x-terminal-emulator" Depends to avoid a false-positive component-mismatch, due to xterm not being in "main"

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized o...

Read more...

Changed in xdg-terminal-exec (Ubuntu):
status: New → Confirmed
assignee: Lukas Märdian (slyon) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

> #4 - please try to find out what's the plan for xdg-utils/xdg-terminal, see comment #2

https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/241 suggests that xdg-utils/xdg-terminal it is not going anywhere and that xdg-utils/xdg-terminal even considers deferring to xdg-terminal-exec.

Seth Arnold (seth-arnold)
tags: added: sec-4642
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.