debcrafters-packages team mailing list archive

Thread
Date
[Bug 2031304] Re: [MIR] dracut

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Sebastien Bacher <2031304@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Sep 2025 18:33:41 -0000
Reply-to: Bug 2031304 <2031304@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
so now that we got a security team +1, those were the required MIR-team
review TODOs

> #2.3 - dracut-network Recommends iscsiuio which is in universe. See
the [Dependencies] section. We could > either drop iscsiuio to Suggests
or do an additional MIR for it.

iscsiuio was demoted to a suggest which resolves that point


> #2.4 - Address the localization related bug-report noted by the reporter LP#2088413

After testing we believe now that the issue isn't specific to dracut,
also the report is about offline updates which is a plymouth option not
used in Ubuntu since we don't do offline updates.


We will keep investigating how to improve the translation situation for plymouth in initrd mode and work on the issue as high priority but we would like to ask for that point to be lowered to a recommended and to get a +1 now to do the transition to dracut in Questing

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to dracut in Ubuntu.
https://bugs.launchpad.net/bugs/2031304

Title:
  [MIR] dracut

Status in dracut package in Ubuntu:
  New

Bug description:
  [Availability]
  The package dracut is already in Ubuntu universe.
  The package dracut build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/dracut

  [Rationale]
  The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
  The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.

  To my knowledge there are only initramfs-tools (main) and dracut
  (universe) in the archive that cover the use case. initramfs-tools is
  Debian-specific and dracut tries to be a distro-agnostic solution.

  dracut-core is already used by Ubuntu Core:
  https://github.com/snapcore/core-initrd/

  The package dracut is required in Ubuntu main the feature freezy next
  Thursday to land the change in bug #2031185.

  [Security]
  - Had 5 security issues in the past
    - https://ubuntu.com/security/CVE-2016-8637 can disclose local information
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484 (issue in cryptsetup package, not dracut)
    - https://ubuntu.com/security/CVE-2015-0794 seems to be a SuSE specific issue
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0267 allows local users to write to arbitrary files via a symlink attack (probably Red Hat specific)
    - https://ubuntu.com/security/CVE-2012-4453 creates initramfs images with world-readable permissions
    - https://ubuntu.com/security/CVE-2010-4176 allows remote authenticated users to read terminal data from tty0 for local users (but vulnerable script not shipped)
  - no `suid` or `sgid` binaries
  - Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.target.wants):
    - /lib/systemd/system/dracut-cmdline.service
    - /lib/systemd/system/dracut-initqueue.service
    - /lib/systemd/system/dracut-mount.service
    - /lib/systemd/system/dracut-pre-mount.service
    - /lib/systemd/system/dracut-pre-pivot.service
    - /lib/systemd/system/dracut-pre-trigger.service
    - /lib/systemd/system/dracut-pre-udev.service
    - /lib/systemd/system/dracut-shutdown-onfailure.service
    - /lib/systemd/system/dracut-shutdown.service
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dracut/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dracut
    - Upstream's bug tracker: https://github.com/dracutdevs/dracut/issues
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
  - The package runs an autopkgtest, and is currently passing on
    amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-mantic/mantic/amd64/d/dracut/20230816_015908_d6cb2@/log.gz
  - I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
    questions higher than medium
  - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/dracut/-/blob/master/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote

  [Standards compliance]
  - This package violates FHS or Debian Policy:
    - Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do

  [Maintenance/Owner]
  - Owning Team will be Foundations team
  - Foundations Team is not yet, but will subscribe to the package before promotion
  - This does not use static builds
  - This does not use vendored code
  - This does not use vendored code
  - This package is not rust based (but that might change in the future)
  - The package has been built in the archive more recently than the last
    test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is dracut
  Link to upstream project: https://github.com/dracutdevs/dracut/wiki/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2031304/+subscriptions