[Bug 2095582] Re: [MIR] libsass
Ioanna Alifieraki
2095582 at bugs.launchpad.net
Tue Feb 18 15:25:46 UTC 2025
Review for Source Package: libsass
[Summary]
The package is needed in ubuntu main as a new runtime dependency of Openstack Horizon that
we already support.
The upstream package is deprecated. However, as per README, it will continue to receive maintenance:
"Warning: LibSass is deprecated. While it will continue to receive maintenance releases indefinitely, there are no plans to add additional features or compatibility with any new CSS or Sass features."
The upstream Openstack Horizon decided to pull libsass in favor of pyscss as lesser evil. Pyscss has no updates since
2022. That said, and taking into account the upstream libsass will continue to receive indefinitely
maintenance releases we're good to go.
Static builds are present but ubuntu-openstack team is aware of the implications and commit to
test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM).
It has a history of CVEs and the package can parse user provided files
(css) which is not a trusted source.
The package has no build time tests.
It is not clear whether it is actually lto disabled:
It does pop up in the lto-disable list:
$ cat /usr/share/lto-disabled-list/lto-disabled-list | grep libsass
libsass any
and there is this bug : https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/1936964
But debian/rules:
export DEB_BUILD_MAINT_OPTIONS=optimize=+lto
and also -flto=auto flag present in build output.
Minor issue: Upstream latest release is 3.6.6, ubuntu/debian is 3.6.5+20231221-3. However all the
code from upstream 3.6.6 is in the ubuntu 3.6.5+20231221-3.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libsass1, libsass-dev
Specific binary packages built, but NOT to be promoted to main: <None>
Notes:
Required TODOs:
1. Clarify what happens with lto and fix appropriately.
2. Add build time tests.
Recommended TODOs:
3. Update the debian/ubuntu version to match upstream.
4. Fix if possible build warnings.
- The package should get a team bug subscriber before being promoted
[Rationale, Duplication and Ownership]
There is no better alternative in main providing the same functionality.
The ubuntu-opestack team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code
Problems:
- static builds present
[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
Problems:
- History of CVEs does look concerning
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
[Common blockers]
OK:
- does not FTBFS currently
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
Problems:
- does not a have test suite that runs at build time
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
Problems:
- Upsteam is deprecated
- Upstream update history has not recieved an update for over a year now
- Debian/Ubuntu update history follows upstream
- Upstream latest release is 3.6.6, ubuntu/debian is 3.6.5+20231221-3
- It pops-up in the lto-disabled list
[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid / setgid
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems:
- warnings present during the build
- important open bugs (crashers, etc) in Debian and Ubuntu
** Changed in: libsass (Ubuntu)
Status: New => Incomplete
** Changed in: libsass (Ubuntu)
Assignee: Ioanna Alifieraki (joalif) => James Page (james-page)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2095582
Title:
[MIR] libsass
Status in libsass package in Ubuntu:
Incomplete
Bug description:
[Availability]
The package libsass is already in Ubuntu universe.
The package libsass builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/libsass
[Rationale]
The package libsass is required in Ubuntu main because Horizon has switched from Django-pyscss to libsass and its Python wrapper.
The package libsass will generally be useful for a large part of our user base.
The package libsass is a new runtime dependency of package OpenStack Horizon that we already support.
There is no other/better way to solve this that is already in main or should go universe->main instead of this.
The binary package libsass needs to be in main as it is a new dependency for OpenStack Horizon which is switching away from the previously used django_pyscss.
The package libsass-python is required in Ubuntu main no later than
February 20, 2025 due to feature freeze.
[Security]
Had 39 security issues in the past
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libsass
https://ubuntu.com/security/cves?q=libsass
https://security-tracker.debian.org/tracker/source-package/libsass
Based on the Debian bug tracker, it appears most CVEs have been
resolved aside from 1 categorized under “Open unimportant issues” and
3 under “Open issues” but fixed for Debian versions Trixie and Sid.
no `suid` or `sgid` binaries
no executables in `/sbin` and `/usr/sbin`
Package does not install services, timers or recurring jobs
Packages does not open privileged ports (ports < 1024).
Package does not expose any external endpoints
Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
The package works well right after install
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs (2 open as of Feb 3)
Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libsass/+bug
Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsass
GitHub Issues: https://github.com/sass/libsass/issues
The package has important open bugs, listing them: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsass
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953415
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988884
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package does not run a test at build time. It is currently an ubuntu-openstack TODO to add. The upstream does contain a Makefile in the ‘test’ directory that can be invoked at build time.
The package runs an autopkgtest, and is currently passing on amd64,
arm64, armhf, i386, ppc64el, riscv64, and s390x architectures, link to
test logs:
https://launchpad.net/ubuntu/+source/libsass/3.6.5+20231221-3
The package does have not failing autopkgtests right now.
[Quality assurance - packaging]
debian/watch is present and works
debian/control defines a correct Maintainer field (Debian Sass team <pkg-sass-devel at lists.alioth.debian.org>)
This package does not yield massive lintian Warnings, Errors
Please link to a recent build log of the package: https://launchpadlibrarian.net/706597691/buildlog_ubuntu-noble-amd64.libsass_3.6.5+20231221-3_BUILDING.txt.gz
Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug - no output generated on either binary package
Lintian overrides are present, but ok because they related to copyright/license files:
```
# License is in Reference field (see bug#786450)
missing-license-paragraph-in-dep5-copyright gpl-3\+ *
missing-license-text-in-dep5-copyright GPL-3\+ *
```
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies
The package will not be installed by default
Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/libsass/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation)
[Dependencies]
No further depends or recommends dependencies that are not yet in main
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
The owning team will be ubuntu-openstack and I have their acknowledgement for that commitment.
The future owning team is already subscribed to the package.
This package generates a static file libsass.a. The team ubuntu-
openstack is aware of the implications by a static build and commits
to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
This does not use vendored code
This package is not rust based
This package has not been built in the last 3 months. The last build was December 30, 2023.
Build link on launchpad: https://launchpad.net/ubuntu/+source/libsass/3.6.5+20231221-3
[Background information]
The Package description explains the package well
Upstream Name is libsass
Link to upstream project: https://github.com/sass/libsass
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/2095582/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list