[Bug 1998095] Re: [MIR] pkgconf, replacement for pkg-config

Ioanna Alifieraki 1998095 at bugs.launchpad.net
Tue Jan 24 12:59:55 UTC 2023 

Review for Package: pkgconf

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
TODO: List of specific binary packages to be promoted to main: pkgconf, libpkgconf3, pkgconf-bin, libpkgconf-dev
TODO: Specific binary packages built, but NOT to be promoted to main: TBD

Notes:

Please address/clarify the following :

Required TODOs:
1. Does it run autopkgtests ? There is a test suite in the sources which runs at build time, 
   that could be also run as autopkg, but I do not see anything under 
   https://autopkgtest.ubuntu.com/packages/pkgconf  or pkgconf in 
   https://autopkgtest.ubuntu.com/testlist#index-p

Recommended TODOs:
2. Debian has bumped version to 1.8.1. There is a very recent cve, CVE-2023-24056 :
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056
   This cve is addressed upstream 
   (https://github.com/pkgconf/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059)
   and pull into debian in 1.8.1 
   (https://salsa.debian.org/debian/pkgconf/-/commit/05e3a9175a07194da5d7b80b9aa1f2f639d37db0).
   It would be nice to either sync from debian or at least backport the cve fix.

3. The source package produces 5 binaries one of them being pkg-config, which iiuc is transitional
   package, can you please clarify if we need it in main too ?

- The package should get a team bug subscriber before being promoted

[Duplication]
pkgconf is a replacment for pkg-config, since debian moved to it.

[Dependencies]
OK
- no other Dependencies to MIR due to this
  - pkgconf checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does it have a  test suite that runs as autopkgtest ?

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is  packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-24056

** Changed in: pkgconf (Ubuntu)
       Status: Confirmed => Incomplete

** Changed in: pkgconf (Ubuntu)
     Assignee: Ioanna Alifieraki (joalif) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pkg-config in Ubuntu.
https://bugs.launchpad.net/bugs/1998095

Title:
  [MIR] pkgconf, replacement for pkg-config

Status in pkg-config package in Ubuntu:
  New
Status in pkgconf package in Ubuntu:
  Incomplete

Bug description:
  Rationale: debian moved from pkg-config to new pkgconf version,
  providing same binary.

  Availability: The package is already available in universe and
  building on all archs.

  Rationale: needed for mostly every package in the archive.

  Security, It's well maintained upstream, in Debian, and in Ubuntu.
  There are no known serious issues.

  Only one CVE dated 2018
  CVE-2018-1000221	pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerabilit ...

  
  UI standards: n/a

  Dependencies: atf-sh on i386 is needed to build.

  Standards compliance: no known issues.

  Maintenance: No known issues.

  pkg-config had a long time standing Ubuntu delta, that is now dropped
  because pkgconf supports profiles and the multiarch lib location
  search is now default in Debian too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pkg-config/+bug/1998095/+subscriptions

More information about the foundations-bugs mailing list