[Bug 1972866] Re: [MIR] gsasl

Christian Ehrhardt  1972866 at bugs.launchpad.net
Mon Jun 20 15:08:43 UTC 2022 

I'd also object to Didier who said "This does not need a security review".
This clearly parses data, and it does so to encrypt/decrypt it.
Therefore IMHO this clearly falls into the "needs security" pocket IMHO.

Assigning to security ...

@Didier please let me know if you want to discuss (we can do so in
tomorrows meeting). Do we need to change the template to clarify (for
either of us depending on the outcome of the discussion).

** Changed in: gsasl (Ubuntu)
     Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mutt in Ubuntu.
https://bugs.launchpad.net/bugs/1972866

Title:
  [MIR] gsasl

Status in gsasl package in Ubuntu:
  Incomplete
Status in mutt package in Ubuntu:
  New
Status in mutt package in Debian:
  Fix Released

Bug description:
  [Summary]
  * Everything seems in order with this package, but it should
  be reviewed by the security team due to the nature of the package.
  * Build log: https://launchpadlibrarian.net/564514219/buildlog_ubuntu-jammy-amd64.gsasl_1.10.0-5_BUILDING.txt.gz

  [Availability]
  * The package is already available in Ubuntu universe and builds for the required architectures

  [Rationale]
  * mutt (which is in main) used to depend on cyrus-sasl. Due to a
  licensing conflict between mutt and cyrus-sasl, it has been updated
  to use gsasl and drop the dependency on cyrus-sasl. This change
  has been made in Debian. Mutt is used by a large part of our
  user base, so continuing to provide it is important.

  [Security]
  * Package gsasl and associated libraries do not have any
  security red-flags, but should still be reviewed by
  the security team due to the nature of the package (it
  authenticates users to servers)
  * No CVEs/security issues in this software in the past
  * No `suid` or `sgid` binaries
  * No executables in `/sbin` and `/usr/sbin`
  * Package does not install services, timers or recurring jobs
  * Package does not open privileged ports (ports < 1024)

  [Quality assurance - function/usage]
  * The package works well right after install

  [Quality assurance - maintenance]
  * The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  * The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  * The package runs a test suite on build time, if it fails
  it makes the build fail
  * The package runs an autopkgtest, and is currently passing

  [Quality assurance - packaging]
  * debian/watch is present and works
  * debian/control defines a correct Maintainer field
  * This package does not yield massive lintian Warnings, Errors
  * Full output of `lintian --pedantic`:
  ```
  P: gsasl source: update-debian-copyright 2014 vs 2021 [debian/copyright:44]
  P: gsasl source: very-long-line-length-in-source-file configure line 13808 is 704 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/openid20/README line 92 is 807 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/saml20/README line 171 is 1396 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
  ```
  * Lintian overrides are present, but ok because upstream does
  not provide source-only tarballs
  * This package has no python2 or GTK2 dependencies
  * Packaging and build is easy. d/rules is concise and readable

  [UI standards]
  * Application is end-user facing, Translation is present, via gettext

  [Dependencies]
  * libgsasl-dev depends on a package from src:libntlm. MIR for
  libntlm is here: https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1976405

  [Standards compliance]
  * This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  * Owning Team will be foundations
  * Team is not yet, but will subscribe to the package before promotion
  * This does not use static builds
  * This does not use vendored code
  * The package successfully built during the most recent test rebuild

  [Background information]
  * The Package description explains the package well
  * Upstream Name is GNU SASL
  * Upstream Link is https://www.gnu.org/software/gsasl/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gsasl/+bug/1972866/+subscriptions

More information about the foundations-bugs mailing list