kernel-packages team mailing list archive

[Colin Ian King <1532198@xxxxxxxxxxxxxxxxxx>]

Bah, I messed up (brown paper bag).

@Michael, do you mind checking again, I've uploaded it to:

https://launchpad.net/~colin-
king/+archive/ubuntu/zfs-0.6.5.6-sru-v2/+packages

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to zfs-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1532198

Title:
  [MIR] zfs-linux

Status in zfs-linux package in Ubuntu:
  Incomplete

Bug description:
  Following the process documented at
  https://wiki.ubuntu.com/MainInclusionProcess , the following template
  needs to be filled in to start the MIR for zfs-linux in 16.04

  Below are my answers to the various main inclusion requirements,
  marked by a * prefix:

  [Availability]:

    "The package must already be in the Ubuntu universe, and must
    build for the architectures it is designed to work on."

    * http://packages.ubuntu.com/xenial/admin/zfsutils-linux
    * Yes - built for 64 bit arches only, because ZFS is designed to run
      well only on 64 bit architectures.

  [Rationale]:

    "There must be a certain level of demand for the package, for example:
    The package is useful for a large part of our user base."

    * Yes - there is a lot of interest in ZFS in the server space and for
      users wanting to use a file system that supports huge collections of
      disks with excellent reliable features such as checksummed raid,    mirroring
      striping with easy configuration and also simple data sanity checking and
      fixing.
    * Being requested by Kiko

    "The package is a new build dependency or dependency of a package that we
    already support (additionally, the official image builder requires all
    used packages be in main)."

    * Yes, already in Wily as a technology demo.

    "The package helps meet a specific Blueprint goal."

    * No blueprint goal.

    "The package replaces another package we currently support and promises
    higher quality and/or better features, so that we can drop the old
    package from the supported set."

    * Not applicable


  [Security]:
    "The security history and the current state of security issues in
    the package must allow us to support the package for at least 18 months
    without exposing its users to an inappropriate level of security risks.
    This requires checking of several things that are explained in detail in
    the subsection Security checks."

    "Check how many vulnerabilities the package had in the past and how they
    were handled by upstream and the Debian/Ubuntu package:"

    "http://cve.mitre.org/cve/cve.html: Search in the National Vulnerability
     Database using the package as a keyword"

    NO ZFS Linux CVEs found, here is the complete list from Mitre:

  CVE-2015-1415
    The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configuring
    full disk encrypted ZFS, uses world-readable permissions for the GELI
    keyfile (/boot/encryption.key), which allows local users to obtain sensitive
    key information by reading the file.

  CVE-2015-0448
    Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to
    affect confidentiality, integrity, and availability via vectors related to
    ZFS File system.

  CVE-2013-3266
    The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the new
    NFS server in FreeBSD 8.0 through 9.1-RELEASE-p3 does not verify that a
    READDIR request is for a directory node, which allows remote attackers to
    cause a denial of service (memory corruption) or possibly execute arbitrary
    code by specifying a plain file instead of a directory.

  CVE-2011-2313
    Unspecified vulnerability in Oracle Solaris 10 allows local users to affect
    availability, related to ZFS.

  CVE-2011-2312
    Unspecified vulnerability in Oracle Solaris 10 allows local users to affect
    confidentiality, related to ZFS.

  CVE-2011-2311
    Unspecified vulnerability in Oracle Solaris 10 allows local users to affect
    availability, related to ZFS.

  CVE-2011-2286
    Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows remote
    authenticated users to affect availability, related to ZFS.

  CVE-2010-4458
    Unspecified vulnerability in Oracle Solaris 11 Express allows local users
    to affect availability, related to ZFS.

  CVE-2010-3540
    Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local
    users to affect availability, related to ZFS.

  CVE-2010-2392
    Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local
    users to affect integrity and availability, related to ZFS.

  CVE-2010-0318
    The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2,
    and 8.0, when creating files during replay of a setattr transaction, uses
    7777 permissions instead of the original permissions, which might allow
    local users to read or modify unauthorized files in opportunistic
    circumstances after a system crash or power failure.

  CVE-2009-3706
    Unspecified vulnerability in the ZFS filesystem in Sun Solaris 10, and
    OpenSolaris snv_100 through snv_117, allows local users to bypass intended
    limitations of the file_chown_self privilege via certain uses of the chown
    system call. 

    "http://secunia.com/advisories/search/: search for the package as a
  keyword"

    * No security advisories found

    Ubuntu CVE Tracker:

    http://people.ubuntu.com/~ubuntu-security/cve/main.html
    * No
    http://people.ubuntu.com/~ubuntu-security/cve/universe.html
    * No
    http://people.ubuntu.com/~ubuntu-security/cve/partner.html
    * No

    "Check for security relevant binaries. If any are present, this
    requires a more in-depth security review."

    "Executables which have the suid or sgid bit set."
    * Not applicable

    "Executables in /sbin, /usr/sbin."
    * Applicable. This requires security review

    "Packages which install daemons (/etc/init.d/*)"
    * Applicable. This requires security review

    "Packages which open privileged ports (ports < 1024)."
    * Not applicable

    "Add-ons and plugins to security-sensitive software (filters,
    scanners, UI skins, etc)"
    * Not applicable

  
  [Quality assurance]
    "After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading."
   
    * Will work "out-of-the-box" once zfsutils-linux installed with 4.4 kernel
    * Quick start ZFS reference guide written:
      https://wiki.ubuntu.com/Kernel/Reference/ZFS
    * Package contains main pages

    "The package must not ask debconf questions higher than medium if it is
    going to be installed by default. The debconf questions must have
    reasonable defaults."

    * Does not apply.

  
    "There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package."

    * We have good upstream support from ZFS maintainers, response to bugs
      file upstream is within 24 hours

    "The status of important bugs in Debian's, Ubuntu's, and upstream's bug
    tracking systems must be evaluated. Links to these bug trackers need to
    be provided in the MIR report. Important bugs must be pointed out and
    discussed in the MIR report."

    Upsteam bug tracking:
      ZFS - https://github.com/zfsonlinux/zfs/issues
      SPL - https://github.com/zfsonlinux/spl/issues
    Ubuntu bug tracking:
      https://bugs.launchpad.net/ubuntu/+source/zfs-linux

    Resolved bugs:
    LP#1521952 Add dependency on dh-systemd for zfs-linux
    LP#1513124 Fix FTBFSs on ppc64el and arm64

    "The package is maintained well in Debian/Ubuntu (check out the Debian PTS)"
      Maintained by Kernel team in sync with kernel
    

    Testing: We have several sets of ZFS specific regression tests in the
      kernel team autotest test infrastructure:

    * The ZFS test suite:
      http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs
    * fstest (Linux POSIX file system test suite)
      http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs_fstest
    * ZFS I/O stress tests:
      http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs_stress
    * XFS generic tests on ZFS:
      http://kernel.ubuntu.com/git/ubuntu/autotest-client-tests.git/tree/ubuntu_zfs_xfs_generic

    Note: currently working on a adt set of tests for ZFS to cover core features as
    as set of kernel team smoke tests.

  [Dependencies]:
    All build and binary dependencies (including Recommends:) must be
    satisfyable in main (i. e. the preferred alternative must be in main).
    If not, these dependencies need a separate MIR report (this can be a
    separate bug or another task on the main MIR bug)

    zfs-linux:
    * autotools-dev - Yes
    * autoconf - Yes
    * autogen - Yes
    * automake - Yes
    * debhelper - Yes
    * dh-autoreconf - Yes
    * dh-systemd - Yes
    * dkms - Yes
    * libselinux1-dev - Yes
    * libtool - Yes
    * uuid-dev - Yes
    * zlib1g-dev - Yes

  [Standards compliance]

    "Standards compliance: The package should meet the FHS and Debian Policy
    standards. Major violations should be documented and justified. Also, the
    source packaging should be reasonably easy to understand and maintain."
    
    Yes, I believe so.

  [Maintenance]

    "The package must have an acceptable level of maintenance
    corresponding to its complexity:
    Simple packages (e.g. language bindings, simple Perl modules, small
    command-line programs, etc.) might not need very much maintenance effort,
    and if they are maintained well in Debian we can just keep them synced

    More complex packages will usually need a developer or team of
    developers paying attention to their bugs, whether that be in Ubuntu or
    elsewhere (often Debian). Packages that deliver major new headline
    features in Ubuntu need to have commitment from Ubuntu developers
    willing to spend substantial time on them."

    * Falls into the complex package category. Colin King will primarily
      maintain this package, with ownership owned and covered by the
      Canonical Kernel Team. We have already performed SRU on ZFS in
      Wily, showing we have the means to actively support this package.

    "All packages must have a designated "owning" team, regardless of
    complexity, which is set as a package bug contact."

    * Yes, Canononical Kernel Team
      https://launchpad.net/~canonical-kernel-team

  [Background information]
    "The package descriptions should explain the general purpose and context
    of the package. Additional explanations/justifications should be done
    in the MIR report."

    * Yes, package description covers the scope of the package

    "If the package was renamed recently, or has a different upstream name,
    this needs to be explained in the MIR report."

    The ZFS on Linux provides ZFS packaged under the debian-zfs.  Debian
    provides zfsutils for *BSD based kernels (kFreeBSD). The package name
    zfsutils-linux was chosen for Linux based arches.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1532198/+subscriptions