[Bug 2111815] Re: [MIR] rust-coreutils
Ioanna Alifieraki
2111815 at bugs.launchpad.net
Mon Jul 14 21:26:57 UTC 2025
Review for Source Package: rust-coreutils
[Summary]
This package, rust-coreutils, is a rewrite of GNU coreutils in rust.
It aims to replace coreutils in Ubuntu.
The package has a few minor issues, such as the translation handling
and missing documentation on how to refresh vendored code, which are
noted in the TODOs and should be addressed.
The more significant concern is rust-coreutils not being fully compatible
with coreutils. Since many user scripts and system tools implicitly rely
on the precise behavior of GNU coreutils, any deviation, can lead to regressions.
This risk ranges from simple user-level breakage to failures in complex
deployments that depend on expected coreutils behavior.
A number of related bugs have already been reported. While it is currently
unrealistic to expect full compatibility with GNU coreutils, every effort
should be made to resolve as many of the outstanding issues as possible,
in order to reduce the potential for disruption and ensure the level of
reliability and quality expected from software provided by Ubuntu.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: rust-coreutils
Specific binary packages built, but NOT to be promoted to main: <None>
Notes:
Required TODOs:
1. The package has not documented how to refresh vendored code. Please document it.
2. The package does not have autopkgtest.
3. Please address the translation issue.
4. Please address the Debian bugs:
4a. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1097827
4b. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107270
5. There quite a few open Ubuntu bugs, please address them
https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bugs
6. Review upstream issues and assess which of them are likely to
cause problems.
Recommended TODOs:
7. Address as many as possible of the upstream bugs triaged in (6).
- The package should get a team bug subscriber before being promoted
[Rationale, Duplication and Ownership]
There is other package in main providing the same functionality, coreutils,
however it's been decided to switch to rust-coreutils:
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995
Foundations team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- not a go package, no extra constraints to consider in that regard
- Rust package that has all dependencies vendored. It does neither
have *Built-Using (after build). Nor does the build log indicate
built-in sources that are missed to be reported as Built-Using.
- rust package using dh_cargo (dh ... --buildsystem cargo)
Problems:
- Includes vendored code, the package has documented how to refresh this
code at <TBD>
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
Problems:
- does parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source. The user
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency
Problems:
- does not have a non-trivial test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking not applicable for this kind of code.
- debian/watch is not present, cargo in charge
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user 'nobody' outside of tests
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
Problems:
- use of setuid / setgid
- important open bugs (crashers, etc) in Debian or Ubuntu
- translation not present
** Bug watch added: Debian Bug tracker #1097827
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1097827
** Bug watch added: Debian Bug tracker #1107270
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107270
** Changed in: rust-coreutils (Ubuntu)
Assignee: Ioanna Alifieraki (joalif) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-coreutils in Ubuntu.
https://bugs.launchpad.net/bugs/2111815
Title:
[MIR] rust-coreutils
Status in rust-coreutils package in Ubuntu:
New
Bug description:
[Availability]
The package rust-coreutils is already in Ubuntu universe.
The package rust-coreutils build for the architectures it is designed to work on.
It currently builds and works for architectures: (all of them)
Link to package https://launchpad.net/ubuntu/+source/rust-coreutils
[Rationale]
- The package rust-coreutils is required in Ubuntu main for
strengthening product security, resilience, and safety by adopting
memory-safe replacements for core functionalities as outlined in
Jon Seager's post:
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-
ubuntu/56995
- The package rust-coreutils will generally be useful for a large part of
our user base as it will become the new default coreutils
[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
[chroot used to be in sbin]
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
This is using a memory-safe language, eliminating most memory safety
issue.
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
Particularly, when installing coreutils-from-uutils, which is to be the
default. On its own, this provides a single coreutils binary.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-coreutils
- Upstream's bug tracker, e.g., GitHub Issues
- The package has important open bugs, listing them:
- Lots of coreutils still have some breakage which prevents the default
switch, I won't list them individually.
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log
https://launchpadlibrarian.net/797298944/buildlog_ubuntu-questing-amd64.rust-coreutils_0.0.30-2ubuntu2_BUILDING.txt.gz
- The package does not run an autopkgtest because there are no additional
tests. It does trigger a whole bunch of packages; and of course the GNU
coreutils test suite gets triggerd by coreutils-from with coreutils-from-uutils
as the default coreutils provider.
[Quality assurance - packaging]
- debian/watch is not present, instead it has "cargo magic"
- debian/control defines a correct Maintainer field
- Please link to a recent build log of the package https://launchpadlibrarian.net/797298944/buildlog_ubuntu-questing-amd64.rust-coreutils_0.0.30-2ubuntu2_BUILDING.txt.gz
- Please attach the full output you have got from
`lintian --pedantic` as an extra post to this bug:
it's just:
W: rust-coreutils: bad-whatis-entry [usr/share/man/man1/rust-coreutils.1.gz]
W: rust-coreutils: debian-changelog-line-too-long [usr/share/doc/rust-coreutils/changelog.Debian.gz:9]
W: rust-coreutils: no-manual-page [usr/bin/coreutils]
aka rust-coreutils is the manpage for coreutils and it's a bit
weird.
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy, link to debian/rules
https://git.launchpad.net/ubuntu/+source/rust-coreutils/tree/debian/rules?h=ubuntu/questing-devel
The vendoring is the most part :D
[UI standards]
The situation is a bit more complex than the template allows for; coreutils
are *somewhat* user interfacing - for terminal users.
Translation support is being added, but sadly it uses "Fluent" which is
not compatible with Launchpad's translation service, which is going to need
some more work to see how we can translate from ftl to pot, produce po and
then translate back to ftl such that we can ship translations in language
packs.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Rust dependencies are vendored per Rust MIR policy]
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be foundations-bugs and I have their acknowledgement for
that commitment
- I Suggest the owning team to be debcrafters-packages starting 26.10
- The team foundations is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team foundations is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the *source* package (it produces a single binary, no crates), refreshing
that code is outlined in debian/README.source
[FIXME: I don't have a README.source]
- This package is rust based and vendors all non language-runtime
dependencies
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-coreutils/0.0.30-2ubuntu2
[Background information]
The Package description explains the package well
Upstream Name is coreutils (same as GNU one)
Link to upstream project https://github.com/uutils/coreutils
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2111815/+subscriptions
More information about the foundations-bugs
mailing list