[Bug 1906671] Re: [MIR] usrmerge

Dan Streetman 1906671 at bugs.launchpad.net
Tue Jan 12 14:20:13 UTC 2021 

[Summary]
This is a small package which installs only only 2 perl scripts,
which are called only from maintainer scripts.

I don't see any security aspect of this package which would
require a review by the security team.

There is only one issue I see as potentially blocking MIR,
that the two installed perl scripts are in /usr/lib.

The FHS appears to prefer that binaries/scripts that are not
intended for direct user use should be located in /usr/libexec
instead of /usr/lib, though it does still allow use of /usr/lib.
But it does state, both for /usr/lib and /usr/libexec, that the
application should use a single subdirectory. While it does not
explicitly state that applications must use a single subdirectory
instead of placing files directly into /usr/lib, my reading of
it infers that.
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s06.html
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html

However, this wouldn't be the first package in main that chose
to drop scripts directly into /usr/lib (e.g. command-not-found).
But it would be very rare. I think this should be changed,
to place the files into a subdirectory of either /usr/lib or
/usr/libexec, or at minimum provide a rationale for dropping the
scripts directly into /usr/lib.

List of specific binary packages to be promoted to main:
- usrmerge

Notes:
There are a few other trivial issues that I don't believe
need to block MIR; I will list them for completeness:
1. the test(s) are not run at build or via autopkgtest
   (this package is infrequently updated and the
   developer-run tests are likely sufficient)
2. the d/* maintainter scripts are not chmod +x
   (the build will set them +x so this is inconsequential)
3. the d/copyright is not in DEP5 format
   (nice to fix but also inconsequential)

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber (foundations)
- translation present
- not a python/go package, no extra constraints to consider int hat regard

Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is not present, as this is native package
- Upstream update history not applicable (native package)
- Debian/Ubuntu update history is good but slowed in recent releases
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package (no Ubuntu delta)
- d/rules is rather clean
- Does not have Built-Using
- Not Go Package

Problems:
- lintian --pedantic warnings:
  1. maintainer scripts are not +x
  2. installed perl scripts are located in /usr/lib
  3. d/copyright is not in DEP5 format

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to usrmerge in Ubuntu.
https://bugs.launchpad.net/bugs/1906671

Title:
  [MIR] usrmerge

Status in usrmerge package in Ubuntu:
  New

Bug description:
  [Availability]

  In universe.

  [Rationale]

  Since Disco, Ubuntu has defaulted to merged usr systems, specifically
  that /lib is a symlink to /usr/lib.

  However, we have not yet completed this transition for systems that
  were installed pre-disco.

  This package performs such transition using maintainer scripts. It has
  been tested and improved thoroughly and has managed to work with all
  sorts of packages that happened to be installed on the system.

  For systems that were installed post disco, this package is
  effectively a no-op. Systems that use nfs mounting with split /usr
  care must be taken to ensure that initrd mounts nfs-backed /usr. The
  package aborts configuration if such rare configuration is detected to
  avoid potentially bracking reboot.

  For all other systems, we always provide a fallback initrd which has
  been mounting both / and /usr whenever possible.

  [Security]

  The package ships two perl scripts, which are executed by root from
  maintainer scripts.

  [Quality assurance]

  There is debconf question one can preseed to prevent the migration,
  there is README.Debian explaining what it does and how. It is a one-
  way / one-time migration, removing the package will not undo the
  migration.

  [Dependencies]

  Perl, and many documented conflicts to ensure that usrmerge compatible
  packages are on disk prior to migration.

  [Standards compliance]

  Adheres to Debian Policy.

  [Maintenance]

  Maintained in Debian, merged and supported by Foundations,
  foundations-bugs is subscribed.

  [Background information]

  This will complete usrmerge migration, and will allow to switch
  buildds to build packages with merged-usr by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/usrmerge/+bug/1906671/+subscriptions

More information about the foundations-bugs mailing list