[Bug 1960864] Re: [MIR] plocate
Didier Roche
1960864 at bugs.launchpad.net
Thu Feb 24 17:18:36 UTC 2022
Uptream informed us that the initial MIR description wrongly that there
are no sgid binaries, but /usr/bin/plocate is sgid plocate.
I think this warrant then a security review.
@enr0n: do you need for this LTS release? If so, please target it to mention that to the security team.
If the security team doesn’t have the bandwidth to deal with it before beta, we will then need to revert this to the previous state, being mlocate.
** Changed in: plocate (Ubuntu)
Status: Fix Released => New
** Changed in: plocate (Ubuntu)
Assignee: (unassigned) => Canonical Security Team (canonical-security)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to plocate in Ubuntu.
https://bugs.launchpad.net/bugs/1960864
Title:
[MIR] plocate
Status in plocate package in Ubuntu:
New
Bug description:
[Availability]
The package plocate is already in Ubuntu universe.
The package plocate builds for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, s390x
Link to package [[https://launchpad.net/ubuntu/+source/plocate|plocate]]
[Rationale]
- The package plocate will generally be useful for a large part of
our user base
- Package plocate covers the same use case as mlocate, but is better
because it is a faster implementation. From the package description:
"plocate is a locate(1) based on posting lists, giving much faster
searches on a much smaller index. It is a drop-in replacement for mlocate in
nearly all aspects, and is fast on SSDs and non-SSDs alike."
- Additional reasons: Debian has removed mlocate in favor of plocate.
[Security]
- No CVEs/security issues in this software in the past
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plocate
https://ubuntu.com/security/cve?package=plocate
- no `suid` or `sgid` binaries
- There are binaries in sbin
/usr/sbin/plocate-build
/usr/sbin/updatedb.plocate
- Package does install services, timers or recurring jobs
/lib/systemd/system/plocate-updatedb.service
/lib/systemd/system/plocate-updatedb.timer
$ cat /lib/systemd/system/plocate-updatedb.service
[Unit]
Description=Update the plocate database
ConditionACPower=true
[Service]
Type=oneshot
ExecStart=/usr/sbin/updatedb.plocate
LimitNOFILE=131072
IOSchedulingClass=idle
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=true
$ cat /lib/systemd/system/plocate-updatedb.timer
[Unit]
Description=Update the plocate database daily
[Timer]
OnCalendar=daily
RandomizedDelaySec=12h
AccuracySec=20min
Persistent=true
[Install]
WantedBy=timers.target
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install. One must run
`updatedb` after install to do initial indexing, and can
then easily use `locate`.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/plocate/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=plocate
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time.
- The package runs an autopkgtest, and is currently passing on
amd64, arm64, armhf, ppc64el, s390x: https://autopkgtest.ubuntu.com/packages/plocate
- The package does have failing autopkgtests tests right now on i386,
but this package is not supported for i386
[Quality assurance - packaging]
- debian/watch is not present
- This package does not yield massive lintian Warnings, Errors
$ lintian --pedantic -I
I: plocate source: debian-watch-file-is-missing
I: plocate source: out-of-date-standards-version 4.5.0 (released 2020-01-20) (current is 4.5.1)
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/.ninja_deps
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/meson-private/build.dat
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/meson-private/coredata.dat
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/meson-private/install.dat
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/meson-private/sanitycheckcpp.exe
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate-build
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate-build.p/database-builder.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate-build.p/plocate-build.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/access_rx_cache.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/complete_pread.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/io_uring_engine.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/needle.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/parse_trigrams.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/plocate.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/serializer.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/plocate.p/turbopfor.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate.p/bind-mount.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate.p/complete_pread.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate.p/conf.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate.p/database-builder.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate.p/lib.cpp.o
I: plocate source: unused-entry-in-debian-source-include-binaries obj-x86_64-linux-gnu/updatedb.plocate.p/updatedb.cpp.o
P: plocate source: spelling-error-in-patch-description debian/patches/locate-add-ignore-spaces-option-to-ignore-word-separ.patch "allows to" "allows one to"
P: plocate source: trailing-whitespace debian/changelog (line 208)
P: plocate source: trailing-whitespace debian/changelog (line 226)
P: plocate source: trailing-whitespace debian/changelog (line 313)
P: plocate source: trailing-whitespace debian/changelog (line 320)
P: plocate source: trailing-whitespace debian/control (line 22)
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Upstream is active, the package is maintained in Debian and in sync for Ubuntu
- This does not use static builds
- This does not use vendored code
[Background information]
The Package description explains the package well
https://plocate.sesse.net/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions
More information about the foundations-bugs
mailing list