Ubuntu
wpebackend-fdo package

  1. Jammy (22.04)
  2. Bug #1973033
  3. Comment #4

Comment 4 for bug 1973033

Revision history for this message
Spyros Seimenis (sespiros) wrote :

I reviewed wpebackend-fdo 1.12.0-1 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

wpebackend-fdo is the reference implementation of the base rendering backend design
of WPE WebKit, a port of WebKit. It is also used by WebKitGTK to implement hardware-accelerated
rendering under Wayland.

- CVE History:
  - No CVEs in this specific backend implementation
- Build-Depends?
  - No encryption or networking build dependencies
- pre/post inst/rm scripts?
  - No
- init scripts?
  - No
- systemd units?
  - No
- dbus services?
  - No
- setuid binaries?
  - No
- binaries in PATH?
  - No
- sudo fragments?
  - No
- polkit files?
  - No
- udev rules?
  - No
- unit tests / autopkgtests?
  - No autopkgtests
  - No testsuite.
- cron jobs?
  - No
- Build logs:
  - WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in future releases of meson.
         See also: https://github.com/mesonbuild/meson/issues/9300
  - NOTICE: Future-deprecated features used:
     * 0.56.0: {'dependency.get_pkgconfig_variable'}
  - dpkg-gencontrol: warning: Depends field of package libwpebackend-fdo-1.0-dev: substitution variable ${shlibs:Depends} used, but is not defined
  - No Lintian errors/warnings
- Processes spawned?
  - No
- Memory management?
  - Defensive bound checking when allocations are happening.
  - No testing suite (i.e new dma-buf pool for mem allocations which is newly introduced is untested).
- File IO?
  - No
- Logging?
  - No issues
- Environment variable usage?
  - No
- Use of privileged functions?
  - No
- Use of cryptography / random number sources etc?
  - No
- Use of temp files?
  - No
- Use of networking?
  - No
- Use of WebKit?
  - No. Although related.
- Use of PolicyKit?
  - No

- Any significant cppcheck results?
  - No
- Any significant Coverity results?
  - SEE coverity.txt
- Any significant shellcheck results?
  - No
- Any significant bandit results?
  - No

Development is active with frequent releases but it follows a release model similar
to wpewebkit (and webkitgtk) which has been historically difficult to maintain, from
the security team's point of view, due to their release model (minor version releases
with limited information related to security only issues). Since this is a relatively
small codebase and no major issues have been found during code review I am inclined to
ACK it. The lack of a test suite (and autopkgtests) though is going to make testing
difficult.

Security team ACK for promoting wpebackend-fdo to main.