[Bug 1794219] Re: [MIR] ledmon

Yuan-Chen Cheng 1794219 at bugs.launchpad.net
Wed Dec 15 00:15:41 UTC 2021 

** Changed in: oem-priority
       Status: Fix Committed => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/1794219

Title:
  [MIR] ledmon

Status in OEM Priority Project:
  Confirmed
Status in ledmon package in Ubuntu:
  Incomplete

Bug description:
  == Requirements ==

  [Availability]
  Currently in universe.
  Package in LP: https://launchpad.net/ubuntu/+source/ledmon
  Upstream: https://github.com/intel/ledmon

  [Rationale]
  1.OEM projects needs to include ledmon for VROC suport (LP: #1759225)
  2.Intel still maintains upstream for that (LP: #1668126)
  3.Dependencies already in main.

  [Security]
  No security issues exposed so far. We may need to rely on Intel to be aware of upstream commits for security fixes.

  [Quality Assurance]
  1.No debconf questions
  2.No outstanding bugs
  3.I can help to make sure the consistency for status of important bugs in Debian's/Ubuntu's, and upstream's bug (on github).
  4.Ledmon only supports Intel related storage controller (e.g. AHCI/iSCSI/VMD controller)
  5.No test suite shipped with ledmon
  6.No dependencies with obsolete or demoted packages

  [UI standards]
  1.This is a CLI tool/daemon service. It has normal CLI style short help and man pages. (man ledmon/ledctl)
  2.No desktop file required as it is a backend tool.

  [Dependencies]
  build-depends: perl (main), libsgutils2-dev (main), libudev-dev (main)
  binary-depends: openipmi (main)

  [Standards Compliance]
  The package should meet the FHS and Debian Policy standards.

  [Maintenance]
  Package owning team: The Foundations team
  Debian package maintained by Daniel Jared Dominguez (but seems he didn't maintain the latest one: currently the version 0.90 on upstream and it's 0.79-2 on debian)
  https://tracker.debian.org/pkg/ledmon

  [Background Information]
  ledmon and ledctl are userspace tools designed to control storage enclosure LEDs. The user must have root privileges to use these tools.

  These tools use the SGPIO and SES-2 protocols to monitor and control
  LEDs. They been verified to work with Intel(R) storage controllers
  (i.e. the Intel(R) AHCI controller) and have not been tested with
  storage controllers of other vendors (especially SAS/SCSI
  controllers).

  For backplane enclosures attached to ISCI controllers, support is
  limited to Intel(R) Intelligent Backplanes.

  == Security checks ==
  1.http://cve.mitre.org/cve/search_cve_list.html: Search in the National Vulnerability Database using the package as a keyword
    * There are 0 CVE entries that match your search.

  2.Check OSS security mailing list (feed 'site:www.openwall.com/lists/oss-security <pkgname>' into search engine)
    * No security issue found

  3.Ubuntu CVE Tracker
    http://people.ubuntu.com/~ubuntu-security/cve/main.htm
    * No
    http://people.ubuntu.com/~ubuntu-security/cve/universe.html
    * No
    http://people.ubuntu.com/~ubuntu-security/cve/partner.html
    * No

  4.Check for security relevant binaries. If any are present, this requires a more in-depth security review.
    * Executables which have the suid or sgid bit set.
      No
    * Executables in /sbin, /usr/sbin.
      Yes
    * Packages which install services / daemons (/etc/init.d/*, /etc/init/*, /lib/systemd/system/*)
      No
    * Packages which open privileged ports (ports < 1024).
      No
    * Add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc)
      No

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1794219/+subscriptions

More information about the foundations-bugs mailing list