[Bug 1948748] Re: [MIR] swtpm
Christian Ehrhardt
1948748 at bugs.launchpad.net
Fri Oct 29 07:04:51 UTC 2021
Review for Package: libtpms
[Summary]
As swtpm this seems generally well packaged, and already has plenty of users.
It needs a bit polishing here and there but seems close to be promotable.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: libtpms0
Required TODOs:
- please package the current v0.9
https://github.com/stefanberger/libtpms/releases/tag/v0.9.0
- Fix the ppc64 FTBFS
https://launchpadlibrarian.net/557789130/buildlog_ubuntu-impish-ppc64el.libtpms_0.8.2-1ubuntu1_BUILDING.txt.gz
- Track and resolve https://github.com/stefanberger/libtpms/issues/215
to ensure this works well with openssl3.0 in Ubuntu 22.04
Recommended TODOs:
- Right now it has no autopkgtest, maybe - like swtpm this could at least run
the build time tests to spot things as early as dependency-update instead of
"on the next rebuild"?
- The package should get a team bug subscriber before being promoted
[Duplication]
There are the tpm2-tss related packages, but those are for consumption of
real (or emulated) TPMs. No other package in main providing the same
functionality of emulating/mocking/faking a TPM in software.
[Dependencies]
OK:
- no other Dependencies to MIR due to this (just libc and ssl)
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the built reverse-depends are in universe
- no -dev/-debug/-doc packages that need exclusion (-dev exists but has no
aggressive deps that would be a problem)
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does parse data formats
- does deal with security attestation (secure boot, tpm, signatures)
- history of CVEs does look concerning
- Also the intended use case just yells "this needs a seucrity review"
[Common blockers]
OK:
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- additional testing by usage in swtpm and its tests is indirectly existing
- no new python2 dependency
Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- does FTBFS currently (on PPC64)
=> https://launchpadlibrarian.net/557789130/buildlog_ubuntu-impish-ppc64el.libtpms_0.8.2-1ubuntu1_BUILDING.txt.gz
I do not see why we would not need this on this arch, so for equivalency we
have to fix it before promoting it
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking is in place (debian/libtpms0.symbols)
- d/watch is present and looks ok
- Upstream update history is regular and good
- Debian/Ubuntu update history is slightly slow, but ok (only exists since G)
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
Problems:
- the current release is not packaged
https://github.com/stefanberger/libtpms/releases/tag/v0.9.0
[Upstream red flags]
OK:
- no Errors/warnings during the build (a few -Wreturn-local-addr, nothing severe)
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid
- use of setuid, but ok because <TBD> (prefer systemd to set those
for services)
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems:
- important open bugs (crashers, etc) in Debian or Ubuntu
IMHO there is one worthile to track (but no immediate action needed)
FIPS: https://github.com/stefanberger/libtpms/issues/51
But also one, that given we transition to openssl 3.0 we need to track
and resolve:
openssl3: https://github.com/stefanberger/libtpms/issues/215
** Bug watch added: github.com/stefanberger/libtpms/issues #215
https://github.com/stefanberger/libtpms/issues/215
** Bug watch added: github.com/stefanberger/libtpms/issues #51
https://github.com/stefanberger/libtpms/issues/51
** Changed in: libtpms (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1948748
Title:
[MIR] swtpm
Status in autogen package in Ubuntu:
Won't Fix
Status in gnutls28 package in Ubuntu:
Won't Fix
Status in libtpms package in Ubuntu:
New
Status in swtpm package in Ubuntu:
New
Bug description:
[Availability]
Available in universe in jammy.
[Rationale]
Needed in order to provide TPM functionality to VMs through kvm/libvirt; should be a Recommends: of qemu-system-x86
[Security]
Several security bugs found and fixed in libtpms this year http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libtpms
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3746 currently
remains unfixed in the version present in jammy (DoS bug).
[Quality assurance]
Limited history: package not present in Debian, and only in Ubuntu since jammy.
[UI standards]
N/A
[Dependencies]
swtpm and libtpms; no further dependencies outside of main.
[Standards compliance]
OK
[Maintenance]
To be maintained by the Foundations Team.
[Background information]
N/A
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autogen/+bug/1948748/+subscriptions
More information about the foundations-bugs
mailing list