[Bug 2051850] Re: [MIR] trace-cmd

Christian Ehrhardt  2051850 at bugs.launchpad.net
Wed Apr 3 09:22:32 UTC 2024 

Thank you for the security review, most of the other open requests are
still open AFAICS (we said in the team meeting that we wanted to re-
check all cases):

Required:
1. Other dependies to MIR:
WIP   a. libtracefs - https://bugs.launchpad.net/ubuntu/+source/libtracefs/+bug/2051925
DONE  b. libtraceevent - https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916

2. No tests during build, please add tests.
   => This depends how doable or not that is in the build environment,
      but I've so far not seen an update or discussion for this yet

3. No autopackage tests present.
   => No additions yet AFAICS, especially as this covers the full stack

Recommended TODOs:
4. The output of 'lintian --pendatic --tag-display-limit 0' yields many warnings
   some of them segfaults. Not sure if this is a problem of the package or troff
   but please take a look. (https://pastebin.ubuntu.com/p/JYGrJ7wnJz/)
5. There a few warning (unused return values) during build
6. The package should get a team bug subscriber before being promoted

=> While those are optional, there was no update for them either so far.

This might all be still fine as, after all, you might tackle them one by one.
But that means, for now, this is still incomplete waiting for you to provide these aspects before full approval.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to trace-cmd in Ubuntu.
https://bugs.launchpad.net/bugs/2051850

Title:
  [MIR] trace-cmd

Status in trace-cmd package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  The package trace-cmd is already in Ubuntu universe (Debian sync)
  The package trace-cmd build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/trace-cmd

  [Rationale]
  - The package trace-cmd is required in Ubuntu main to help improve the experience of performance engineers working with Ubuntu
  - The package trace-cmd will not generally be useful for a large part of our user base, but is helpful still because it will help enhance application developer experience while trying to find performance gain.
  - There is no other/better way to solve this that is already in main or should go universe->main instead of this.
  - The package trace-cmd is required in Ubuntu main no later than Feb 29 2024 (Feature Freeze) due to the will to have performance/tracing tools in Noble (LTS).

  [Security]
  - No CVEs/security issues in this software in the past. But one bug regarding a buffer overflow was found (see LP: #1955129) but not clearly identified as CVE/security bug.
  - No `suid` or `sgid` binaries
  - No executable in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs.
  - Based on some quick tests, it looks like running trace-cmd is only making sense if run as root.
  - Package can open privileged ports (ports < 1024) to listen for incoming connections to receive traces.
  - I did not notice any use of apparmor/seccomp or any feature that could help mitigate an exploitation.
  - Based on the previous elements, a more in-depth security review might be recommended.
  - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
     not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=trace-cmd
    - Upstream's bug tracker https://bugzilla.kernel.org/buglist.cgi?component=Trace-cmd%2FKernelshark
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does have a test suite but it is not run at build time. I will submit a patch to do so.
  - The package runs an autopkgtest, but is a "superficial" one. It is currently passing on amd64, arm64, ppc64el, s390x:
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/t/trace-cmd/20240117_073638_c1c31@/log.gz
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/arm64/t/trace-cmd/20240119_054257_84abe@/log.gz
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/ppc64el/t/trace-cmd/20240117_070636_bdbfa@/log.gz
    - https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/s390x/t/trace-cmd/20240117_070802_84abe@/log.gz
  - The package does have failing autopkgtests for armhf tests right now, but it seems they always failed. A quick look at the error (Permission denied) suggest it might be fixable.

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - The package is planned to be installed by default, but does not ask debconf questions
  - Packaging and build is easy https://git.launchpad.net/ubuntu/+source/trace-cmd/tree/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - There are further dependencies that are not yet in main, MIR for them will follow:
    - https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916
    - https://bugs.launchpad.net/ubuntu/+source/libtracefs/+bug/2051925

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be Foundations and I have their acknowledgement for that commitment
  - The future owning team is not yet subscribed, but will subscribe to the package before promotion
  - The current bug subscriber (~chasedouglas) does not seem to be active anymore. Should we replace them by someone else?
  - This does not use static builds
  - This does not use vendored code
  - The package was test rebuilt in a PPA recently https://launchpadlibrarian.net/712030593/buildlog_ubuntu-noble-amd64.trace-cmd_3.2-1build1_BUILDING.txt.gz

  [Background information]
  The Package description explains the package well.
  Upstream Name is trace-cmd
  Link to upstream project https://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug/2051850/+subscriptions

More information about the foundations-bugs mailing list