[Bug 1889688] Re: [MIR] nvme-cli

Dan Streetman 1889688 at bugs.launchpad.net
Fri Aug 28 21:11:27 UTC 2020 

[Summary]
ACK from MIR team based on review below.

This does need a security review, so I'll assign ubuntu-security

[Duplication]
OK:
There is no other package in main providing the same functionality.

[Dependencies]
OK:
no other Dependencies to MIR due to this
no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
no embedded source present
no static linking

[Security]
OK:
history of CVEs does not look concerning (no CVEs found)
does not run a daemon as root
does not use webkit1,2
does not use lib*v8 directly
does not parse data formats
  - note: it does interact with nvme devices using the NVMe specification api
does not open a port
does not process arbitrary web content
does not use centralized online accounts
does not integrate arbitrary javascript into the desktop
does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
does not FTBFS currently
The package has a team bug subscriber (ubuntu foundations)
no translation present, but only minimal user interaction; is mostly a pure technical interface
not a python/go package, no extra constraints to consider int hat regard
no new python2 dependency
not go package

Problems:
does have a test suite, but not run at build time
does not have a test suite that runs as autopkgtest
*however*, above 2 problems are due to tests requiring system with nvme drive

[Packaging red flags]
OK:
Ubuntu does not carry a delta
symbols tracking not applicable for this kind of code (no shared lib)
d/watch is present and looks ok
Upstream update history is good
Debian/Ubuntu update history is good
the current release is packaged
promoting this does not seem to cause issues for MOTUs (no ubuntu delta)
d/rules is rather clean
Does not have Built-Using
not Go Package

Problems:
no massive Lintian warnings, but groovy package does use debhelper compat 9

[Upstream red flags]
OK:
no significant errors/warnings during the build
no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
no use of user nobody
no use of setuid
no important open bugs (crashers, etc) in Debian or Ubuntu
no dependency on webkit, qtwebkit, seed or libgoa-*
no embedded source copies
not part of the UI for extra checks

Problems:
use of malloc/sprintf:
  - there are many uses of malloc and sprintf, which mostly seems "ok"
  - however, since the use is only by the nvme stand-alone program,
    any failure would only affect use of that specific program;
    there is no library or daemon provided by the package
  - the security team may want to review malloc/sprintf use in more detail


** Changed in: nvme-cli (Ubuntu)
     Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nvme-cli in Ubuntu.
https://bugs.launchpad.net/bugs/1889688

Title:
  [MIR] nvme-cli

Status in nvme-cli package in Ubuntu:
  Confirmed

Bug description:
  [Availability]

  Package is available in Universe. Builds are green for all arches
  specified

  [Rationale]

  This is a request from Google as they utilize nvme-cli to manage nvme
  drives in their cloud. The package offers tools for managing nvme
  drives, including nvme over fabric (NVMEoF). NVMEoF is of particular
  interest as cloud providers build out with nvme drives.

  [Security]

  No current security advisories. Has been a part of Universe since
  Xenial, and shows supportability (the source in Github is updated with
  regularity [within 1 hour of me opening the page, with regular commits
  including 11 merged PRs in the past 30 days])

  [Quality assurance]

  Upstream bugs are tracked on the github repo: https://github.com
  /linux-nvme/nvme-cli

  nvme-cli has been a part of Debian since stretch:
  https://packages.debian.org/stretch/nvme-cli.

  [UI standards]

  Autogenerated man pages for nvme commands and all subcommands (nvme-*)
  Man pages are fleshed out with all options described.

  [Dependencies]

  libc6 (>= 2.14) [amd64]

      GNU C Library: Shared libraries

      also a virtual package provided by libc6-udeb

  libc6 (>= 2.17) [arm64, ppc64el]

  libc6 (>= 2.8) [armhf, s390x]

  [Standards compliance]

  nvmeexpress.org, the group maintaining the package, is a compliance
  organization. They include many major technology groups as members.

  [Maintenance]
  Foundations will subscribe to the package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvme-cli/+bug/1889688/+subscriptions

More information about the foundations-bugs mailing list