[Bug 1152187] Re: [MIR] systemd

Seth Arnold 1152187 at bugs.launchpad.net
Wed Mar 13 22:06:40 UTC 2013 

I reviewed version 198-0ubuntu0ppa2 from pitti's PPA.

I confined my review primarily to src/logind/ and src/udevd/ directories,
as these are the largest of the components we intend to use. This should
not be considered a full security audit, but rather a quick and dirty
gauge of code cleanliness.

- No cron jobs, fscaps, sudo
- Several initscripts
- Provides dbus services
- Limited use of setuid(2) looked safe
- Some executables not PIE
- All executables use stack protection, fortify, relro, bind_now
- Minimal tests; extensive global state would be difficult to test
- Daemons initialize carefully
- Many libtool warnings
- Many dpkg-shlibdeps warnings
- Memory allocations check for failure
- Error codes are returned, checked
- String manipulation uses good utility routines
- Crypto used only in un-audited portions

I did not verify if the package provides needed functionality.

Since this is a fairly specialized sort of package, I'm not too surprised
about e.g. libtool and dpkg-shlibdeps warnings. However, they would make
it more difficult to spot warnings in the future. Please consider spending
some time to reduce the warning count.

ACK for the proposed selective inclusion into main.

** Changed in: systemd (Ubuntu)
     Assignee: Seth Arnold (seth-arnold) => MIR approval team (ubuntu-mir)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1152187

Title:
  [MIR] systemd

Status in “systemd” package in Ubuntu:
  New

Bug description:
  * The package is in universe and built on all archs:
  https://launchpad.net/ubuntu/+source/systemd/44-10ubuntu1

  * Rationale:

  - in a first step we want systemd-services promoted to replace ubuntu-
  system-services

  -  We will also want to move from consolekit to logind soon
  (https://blueprints.launchpad.net/ubuntu/+spec/foundations-1303
  -consolekit-logind-migration)

  - udev has been merged in the systemd source upstream so we will want
  to build it from there at some point as well

  we don't plan to use the systemd init system at this point

  * Security:

  there has been some security issues in the past
  http://secunia.com/advisories/search/?search=systemd
  http://secunia.com/advisories/48220/
  http://secunia.com/advisories/48208/
  http://secunia.com/advisories/48331/

  Those are mostly logind issue and have been fixed upstream.

  Our current package is outdated but we do plan to update it before
  starting using logind. There should be no issue with the services

  * Quality:
  - there is no RC bug in debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=systemd
  - there is no bug open in launchpad: https://launchpad.net/ubuntu/+source/systemd/+bugs
  - upstream is active and responsive to issues

  The desktop bugs team is subscribed to the package in launchpad,
  foundations/desktop will maintain the package and look to the bug
  reports regularly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1152187/+subscriptions

More information about the foundations-bugs mailing list