Update and SRU 1.90.9

I see 1.90.8-1 in hirsute, marking the devel task as done.

Hm. It's not entirely clear to me that this core reworking is suitable as an SRU. Particularly concerning is the NEWS file, the contents of which are basically “1.90.4: did a core rework” followed by 1.90.5, 1.90.6, and 1.90.7 being “oops, the last release was broken”.

At least 1.90.8 is introduced as: “It seems that we are finally reaching the end of the tunnel with regard to regressions” :).

It's not clear to me what the current state of fprintd is, and this would help with risk assessment. If fprintd is currently unusable, or largely so, then the large changes involved here are more acceptable. If fprintd works for a reasonable proportion of users, then the large changes here risk breaking them.

At upstream level we've been quite busy during December and some releases have been put out before we addressed all the problems, but the good part of it has been that every regression was followed by fixes and lots of new tests to ensure cases that were never tested before or that were just broken are now addressed.

So, yeah we went through some releases but that improved the situation eventually.
At the same time the latest upstream version has also been quite well tested by users and is now part (or going to be) part of other other distros stable releases.

Not to mention that the regressions we had in the interim releases were mostly related to use cases that were never used in ubuntu (like when using pam_fprintd for sudo unlocking, that requires manual setup).

In any case, the main reason for having this out as SRU (other than the various improvements) is the security issues addressed. Security team was happy to have this in, but we preferred to go through the SRU process in order to have better regression analysis.

Unfortunately that fix can't be decoupled by other releases (being a big change), and would allow to easily update to a new point release if any problem occurs.

> Security team was happy to have this in, but we preferred to go through the SRU process in order to have better regression analysis.

That's pretty convincing, since a security update would trump the SRU process anyway. And it does make sense to use the SRU process for time to bake in proposed, a more visible opportunity for users to flag issues, and so forth.

However, I want to make sure that we don't end up in a gap where the security team think that the SRU team consider it fine and the SRU team think that the security team think it's fine so nobody actually gives it the necessary consideration for regression risk. To avoid this kind of issue, I prefer to avoid basing decisions on hearsay in bugs.

Can I ask, if we're going to accept this on the basis that the security team require it for security purposes, that the security team review the upload and then note +1 in this bug?

I have discussed this update with Marco, and have looked over the changes. While they do appear substantial, it is mostly due to the switch away from GDBus.

OEMs have been asking us to enable the fingerprint devices on their hardware for a while now, and the current daemon has security issues that need to be addressed. Since fprintd is pretty much self-contained, I feel like a one-time update to the latest version is in our interest going forward in the LTS release. This will allow us to easily fix any further security issues if they come up once fprintd gets to be more widely deployed as the codebase will closely resemble the current upstream version.

I would like to point out that we need to make sure during testing of this SRU that configured fingerprint devices continue working after the upgrade, not only after a reboot but also in the current session after a background update.

Once the update has been successfully SRUed with adequate testing, I will rebuild it in the -security pocket.

Upstream released 1.90.9 which is now entering hirsute, should we aim for that instead? The release notes say:

    Fix multiple daemon lockup issues (#97)
    Fix print garbage collection to not delete used prints
    pam: Use the device with the most prints

https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/97

Timo,

I was thinking about that, to be honest that bug only affects people who configured their system to use fingerprint for sudo-like authentication, so not really the most common scenario, but I think it's sane to do.

So I'll prepare a newer package.

Hello Marco, or anyone else affected,

Accepted fprintd into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fprintd/1.90.9-1~ubuntu20.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Marco, or anyone else affected,

Accepted fprintd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fprintd/1.90.9-1~ubuntu20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The fix for this bug has been awaiting testing feedback in the -proposed repository for focal for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

Tested with various sensors, and all seems to behave as expected with this version.

Plus the expected security fixes.

❯ apt-cache policy fprintd
fprintd:
  Installato: 1.90.9-1~ubuntu20.04.1
  Candidato: 1.90.9-1~ubuntu20.04.1
  Tabella versione:
 *** 1.90.9-1~ubuntu20.04.1 400
        400 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

This bug was fixed in the package fprintd - 1.90.9-1~ubuntu20.04.1

---------------
fprintd (1.90.9-1~ubuntu20.04.1) focal; urgency=medium

  * Backport to focal (LP: #1908119)

fprintd (1.90.9-1) unstable; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * New upstream release:
    - Fix multiple daemon lockup issues (#97)
    - Fix print garbage collection to not delete used prints
    - pam: Use the device with the most prints
  * debian/control: Mark fprintd-doc as Multi-Arch: foreign

  [ Helmut Grohne ]
  * Fix nocheck FTFBS: Drop <!nocheck> from non-optional dependencies.
    (Closes: #977395)

fprintd (1.90.8-1~ubuntu20.04.1) focal; urgency=medium

  * Backport to focal (LP: #1908119)
  * debian/{control,gbp.conf}: Prepare for ubuntu focal branching
  * debian/{control, rules}: Do not use debhelper 13 features
  * debian/rules: Use meson test directly to handle timeouts
  * debian/patches: Drop all the patches applied upstream

fprintd (1.90.8-1) unstable; urgency=medium

  * New upstream release
    - pam: Only listen to NameOwnerChanged after fprintd is known to run
    - Place new ObjectManager DBus API at /net/reactivated/Fprint
  * debian/patches: Remove all patches, applied upstream or not needed anymore
  * debian/control: Depend on systemd 235, but only in linux
  * debian/rules: Require systemd and set unit path only on linux
  * debian/fprintd.install: Use dh-exec to filter linux-only files

fprintd (1.90.7-1) unstable; urgency=medium

  * New upstream release
    - Fix fprintd DBus configuration (Closes: #976990)
    - Change details of what requires authorization
    - Fix various race conditions in pam_fprintd
    - Permit interactive authorization from fprintd utilities
    - Do not allow deletion while another operation is ongoing
    - pam: Guard strdup calls against NULL pointers
  * debian/patches:
    - Refresh
    - Ignore NameOwnerChanged until fprintd is running

fprintd (1.90.5-2) unstable; urgency=medium

  * debian/patches: Make tests run with actual required libfprint version
  * debian/control: Remove test-only dependency on libfprint 1.90.4.
    Tests are now working with older libfprint versions too
  * debian/control: Add myself to Uploaders
  * debian/gbp.conf: Include suggested settings by GNOME team.
    Even if fprintd is not part of GNOME I think these settings are good
    practice anyways.

fprintd (1.90.5-1) unstable; urgency=medium

  * New upstream release:
    - Permit building with polkit older than 0.114
    - Fix possible issues with PAM test
    - Fix incorrect DBus policy
    - Fix build so that CFLAGS environment is correctly used
    - Skip hotplug test with older libfprint (which times out otherwise)
  * debian/patches: Drop patches applied upstream

fprintd (1.90.4-1) unstable; urgency=medium

  * Team upload.
  [ Marco Trevisan (Treviño) ]
  * New upstream release:
    - Use GDBus and async Polkit checks
    - Authentication is now required to enroll a new print (LP: #1532264,
      Closes: #719004)
    - Add support for the libfprint early reporting mechanism
    - Proper hotplug support together with libfprint 1.90.4
    - Handle STATE_DIRECTORY containing multiple paths
    - Vario...

The verification of the Stable Release Update for fprintd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release