debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02942
[Bug 2031304] Re: [MIR] dracut
Feedback so far:
#2.3 - dracut-network Recommends iscsiuio which is in universe. See the
[Dependencies] section. We could either drop iscsiuio to Suggests or do
an additional MIR for it.
-> We should do a MIR for iscsiuio. iscsiuio comes from the open-iscsi
source package where open-iscsi is already in main. But I found no
previous MIR for open-iscsi. So redoing a MIR for open-iscsi is the way
to go.
#2.5 - The complexity involved in running the upstream test-suite as
build-time tests is noted. However, would it be possible to add some
simple tests instead?
-> we could run TEST-80-GETARGS (which is the only unit test) and run
"make syncheck" to run shellcheck. ... and done in 107-1ubuntu2.
#2.6 - Address pending “Later TODOs” #3 and #4 from the previous review
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/comments/1
-> I like to address point #3 by introducing 3cpio. Point #4 is
translations which is the same as point #2.4 isn't it?
#2.7 - It has been mentioned earlier that the cpio support is being
addressed in 3cpio. It might help to understand how 3cpio would be
integrated and shipped. Is 3cpio ready to be Debian packaged and MIR’d
in the current release cycle?
-> We have 3cpio in Ubuntu, but not in Debian yet. The next step for 3cpio are:
* Finish creation support in 3cpio: https://github.com/bdrung/3cpio/issues/2 (I have done work locally)
* Land 3cpio in Debian
* Add support for 3cpio to dracut
Maybe 3cpio is ready in time for this cycle, but maybe not.
#2.8 - The dracut-network package has four alternative dependencies
isc-dhcp-client | systemd | connman | network-manager
Among these isc-dhcp-client and connman are not in main. We could probably have systemd as the primary alternative?
-> Good catch. I changed the order in 107-1ubuntu2
#2.9 - Enable autopkgtests on arm64, i386 and riscv64
https://autopkgtest.ubuntu.com/packages/dracut
-> That is not trivial. I opened bug #2115532 for tracking it.
#2.10 - Address lintian warnings as noted in [Packaging red flags]
-> handled via bug #2115494
#2.11 - Address incautious use of malloc as noted in [Upstream red
flags], through a fix or an upstream bug report.
-> That malloc has been replaced by commit aac5c914af84 ("feat(dracut-
install): extend new ELF parsing code to replace ldd calls") which will
be part of the 108 which will be released on 2025-08-01 and included in
questing.
** Bug watch added: github.com/bdrung/3cpio/issues #2
https://github.com/bdrung/3cpio/issues/2
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to dracut in Ubuntu.
https://bugs.launchpad.net/bugs/2031304
Title:
[MIR] dracut
Status in dracut package in Ubuntu:
New
Bug description:
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/dracut
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut
(universe) in the archive that cover the use case. initramfs-tools is
Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core:
https://github.com/snapcore/core-initrd/
The package dracut is required in Ubuntu main the feature freezy next
Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https://ubuntu.com/security/CVE-2016-8637 can disclose local information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
- https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
- https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
- https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
- /lib/systemd/system/dracut-cmdline.service
- /lib/systemd/system/dracut-initqueue.service
- /lib/systemd/system/dracut-mount.service
- /lib/systemd/system/dracut-pre-mount.service
- /lib/systemd/system/dracut-pre-pivot.service
- /lib/systemd/system/dracut-pre-trigger.service
- /lib/systemd/system/dracut-pre-udev.service
- /lib/systemd/system/dracut-shutdown-onfailure.service
- /lib/systemd/system/dracut-shutdown.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
- Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package runs an autopkgtest, and is currently passing on
amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
- I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https://github.com/dracutdevs/dracut/wiki/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions
