← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #02334

[Bug 2031304] Re: [MIR] dracut

  Thread PreviousDate PreviousThread Next 
-- Main inclusion re-review --

[Summary]

Dracut is an initrd generation tool which is alternative to initramfs-
tools, currently used by Ubuntu. The rationale behind moving from
initramfs-tools to dracut is detailed in this specification -
https://discourse.ubuntu.com/t/spec-switch-to-dracut/54776.

MIR team ACK under the constraint to resolve the below listed required
TODOs and as much as possible having a look at the recommended TODOs.

I would suggest a security re-review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: all except dracut-install which is already in main
Specific binary packages built, but NOT to be promoted to main: None

Notes
#2.0 - The same MIR bug was used to review and promote the dracut-install binary package to main. This review is for the rest of the binary packages of src:dracut.

#2.1 - No more CVEs have been reported against dracut since the previous
security review.

#2.2 - The Debcrafters team is now subscribed to dracut.


Required TODOs
#2.3 - dracut-network Recommends iscsiuio which is in universe. See the [Dependencies] section. We could either drop iscsiuio to Suggests or do an additional MIR for it.


#2.4 - Address the localization related bug-report noted by the reporter LP#2088413 


Recommended TODOs
#2.5 - The complexity involved in running the upstream test-suite as build-time tests is noted. However, would it be possible to add some simple tests instead?


#2.6 - Address pending “Later TODOs” #3 and #4  from the previous review
       https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/comments/1

#2.7 - It has been mentioned earlier that the cpio support is being addressed in 3cpio. It might help to understand how 3cpio would be integrated and shipped. Is 3cpio ready to be Debian packaged and MIR’d in the current release cycle? 
      
#2.8 - The dracut-network package has four alternative dependencies
	isc-dhcp-client | systemd | connman | network-manager
Among these isc-dhcp-client and connman are not in main. We could probably have systemd as the primary alternative?

#2.9 - Enable autopkgtests on arm64, i386 and riscv64
       https://autopkgtest.ubuntu.com/packages/dracut

#2.10 - Address lintian warnings as noted  in [Packaging red flags]

#2.11 - Address incautious use of malloc as noted in [Upstream red
flags], through a fix or an upstream bug report.


[Rationale, Duplication and Ownership]
OK:
 - There is no other package in main providing the same functionality
    => The initramfs-tools package provides the same functionality. But that is OK 
          because, this MIR is part of a planned transition from initramfs-tools
          to dracut, for creating the initrd.
 - A team is committed to own long term maintenance of this package
   => The Debcrafters team
 - The rationale given in the report seems valid and useful for Ubuntu
   => The rationale is well documented in   
         https://discourse.ubuntu.com/t/spec-switch-to-dracut/54776

Problems: None


[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now
  
Problems:
- SRCPKG checked with `check-mir`
  => dracut-network Recommends iscsiuio which is in universe
  => dracut-network Recommends isc-dhcp-client which is in universe
       but the systemd and network-manager alternatives are in main


[Embedded sources and static linking]
OK:
- no static linking through Built-Using or Static-Built-Using
- does not have unexpected Built-Using entries
- not a Go package
- not a Rust package

Problems: 
- embedded source present
  => dracut_cpio vendors third_party/crosvm, but this is built only if 
     configured with --enable-dracut-cpio, which we don't currently use


[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats from an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems: none
- history of CVEs does not look concerning
  => No new CVEs added since the previous CVE review by Security for the dracut-install MIR
- dracut does deal with security attestation and system authentication
  => request a Security re-review because the previous review is almost 2 years old

[Common blockers]
OK:
 - does not FTBFS currently
 - does have a non-trivial test suite that runs as autopkgtest
   - this does not need special HW for build or test
 - no new python2 dependency

Problems:
 - does not have a test suite that runs at build time
   => from reporter: the upstream test suite starts several virtual machines (needing time and 
        memory). The test suite need a kernel, but the linux kernel is only readable by root


[Packaging red flags]
OK:
 - Ubuntu does carry a delta, but it is reasonable and maintenance under control
 - symbols tracking not applicable for this kind of code
 - debian/watch is present and looks ok
 - Upstream update history is good
 - Debian/Ubuntu update history is good
 - the current release is packaged
 - promoting this does not seem to cause issues for MOTUs that so far maintained the package
 - debian/rules is rather clean
 - it is not on the lto-disabled-list
 

Problems:
 - no massive lintian warnings
   => however, there is a bunch of them related to the man pages
   W: dracut-core: groff-message troff:<standard input>:1003: warning [p 9, 1.7i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:2]
   W: dracut-core: groff-message troff:<standard input>:1003: warning [p 9, 1.7i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:2]
   W: dracut-core: groff-message troff:<standard input>:1019: warning [p 9, 3.3i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:3]
   W: dracut-core: groff-message troff:<standard input>:1019: warning [p 9, 3.3i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:3]
   W: dracut-core: groff-message troff:<standard input>:1256: warning [p 11, 3.7i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:4]
   W: dracut-core: groff-message troff:<standard input>:1256: warning [p 11, 3.7i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:4]
   W: dracut-core: groff-message troff:<standard input>:1309: warning [p 11, 7.8i]: cannot break line [usr/share/man/man7/dracut.cmdline.7.gz:5]
   W: dracut-core: groff-message troff:<standard input>:1309: warning [p 11, 7.8i]: cannot break line [usr/share/man/man7/dracut.kernel.7.gz:5]
   W: dracut-core: groff-message troff:<standard input>:181: warning: macro 'an-trap' not defined [usr/share/man/man8/dracut.8.gz:1]
   W: dracut-core: groff-message troff:<standard input>:537: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.cmdline.7.gz:1]
   W: dracut-core: groff-message troff:<standard input>:537: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.kernel.7.gz:1]
   W: dracut-core: groff-message troff:<standard input>:68: warning: macro 'an-trap' not defined [usr/share/man/man7/dracut.modules.7.gz:1]
   W: dracut-core: groff-message troff:<standard input>:72: warning: macro 'an-trap' not defined [usr/share/man/man5/dracut.conf.5.gz:1]


[Upstream red flags]
OK:
 - no Errors/warnings during the build
 - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
 - no use of user nobody
 - no use of setuid / setgid
 - no dependency on webkit, qtwebkit, seed or libgoa-*
 - not part of the UI for extra checks

Problems:
 - some incautious use of malloc
   => src/install/dracut-install.c:576, malloc'd memory not free'd

 - open bugs (crashers, etc) in Debian or Ubuntu
   => Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103457
        Ubuntu: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2032141
 - no translation present, but none needed for this case (user visible)?
   => open translation-related bug 
        https://bugs.launchpad.net/ubuntu/+source/plymouth/+bug/2088413


** Bug watch added: Debian Bug tracker #1103457
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103457

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to dracut in Ubuntu.
https://bugs.launchpad.net/bugs/2031304

Title:
  [MIR] dracut

Status in dracut package in Ubuntu:
  New

Bug description:
  [Availability]
  The package dracut is already in Ubuntu universe.
  The package dracut build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/dracut

  [Rationale]
  The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
  The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.

  To my knowledge there are only initramfs-tools (main) and dracut
  (universe) in the archive that cover the use case. initramfs-tools is
  Debian-specific and dracut tries to be a distro-agnostic solution.

  dracut-core is already used by Ubuntu Core:
  https://github.com/snapcore/core-initrd/

  The package dracut is required in Ubuntu main the feature freezy next
  Thursday to land the change in bug #2031185.

  [Security]
  - Had 5 security issues in the past
    - https://ubuntu.com/security/CVE-2016-8637 can disclose local information
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
    - https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
    - https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
    - https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
  - no `suid` or `sgid` binaries
  - Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
    - /lib/systemd/system/dracut-cmdline.service
    - /lib/systemd/system/dracut-initqueue.service
    - /lib/systemd/system/dracut-mount.service
    - /lib/systemd/system/dracut-pre-mount.service
    - /lib/systemd/system/dracut-pre-pivot.service
    - /lib/systemd/system/dracut-pre-trigger.service
    - /lib/systemd/system/dracut-pre-udev.service
    - /lib/systemd/system/dracut-shutdown-onfailure.service
    - /lib/systemd/system/dracut-shutdown.service
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
    - Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
  - The package runs an autopkgtest, and is currently passing on
    amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
  - I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
    questions higher than medium
  - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote

  [Standards compliance]
  - This package violates FHS or Debian Policy:
    - Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do

  [Maintenance/Owner]
  - Owning Team will be Foundations team
  - Foundations Team is not yet, but will subscribe to the package before promotion
  - This does not use static builds
  - This does not use vendored code
  - This does not use vendored code
  - This package is not rust based (but that might change in the future)
  - The package has been built in the archive more recently than the last
    test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is dracut
  Link to upstream project: https://github.com/dracutdevs/dracut/wiki/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions
  Thread PreviousDate PreviousThread Next