[Bug 1948748] Re: [MIR] swtpm

Christian Ehrhardt  1948748 at bugs.launchpad.net
Fri Oct 29 06:00:03 UTC 2021 

Interim state update in regard to swtpm-tools, gnutls-bin and libopts25.
Discussing with Steve it seems that - for now - the best option seems to be:
- to keep the ssl/tls lib relation -both seem complex and needed for various reasons e.g.
  Steve: "a lot of low-level gnutls operations, I assume because there were no available 
          equivalents in libssl"
- but at the same time we seem to be able to cut the ties to gnutls-bin by
  replacing the calls to certtool (form gnutls-bin) to sometrhing openssl based, that seems 
  possible and is on Steve.
- This would eliminate the need for gnutls28 + autogen MIRs

I'll update my post with the re-review content adapted to this outcome

** Changed in: autogen (Ubuntu)
       Status: Incomplete => Won't Fix

** Changed in: gnutls28 (Ubuntu)
       Status: Incomplete => Won't Fix

** Changed in: gnutls28 (Ubuntu)
     Assignee: Steve Langasek (vorlon) => (unassigned)

** Changed in: autogen (Ubuntu)
     Assignee: Steve Langasek (vorlon) => (unassigned)

** Changed in: swtpm (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1948748

Title:
  [MIR] swtpm

Status in autogen package in Ubuntu:
  Won't Fix
Status in gnutls28 package in Ubuntu:
  Won't Fix
Status in libtpms package in Ubuntu:
  New
Status in swtpm package in Ubuntu:
  New

Bug description:
  [Availability]
  Available in universe in jammy.

  [Rationale]
  Needed in order to provide TPM functionality to VMs through kvm/libvirt; should be a Recommends: of qemu-system-x86

  [Security]
  Several security bugs found and fixed in libtpms this year http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libtpms

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3746 currently
  remains unfixed in the version present in jammy (DoS bug).

  [Quality assurance]
  Limited history: package not present in Debian, and only in Ubuntu since jammy.

  [UI standards]
  N/A

  [Dependencies]
  swtpm and libtpms; no further dependencies outside of main.

  [Standards compliance]
  OK

  [Maintenance]
  To be maintained by the Foundations Team.

  [Background information]
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autogen/+bug/1948748/+subscriptions

More information about the foundations-bugs mailing list