[Desktop-packages] [Bug 2031406] Re: [MIR] libei
build test failures are no longer ignored on s390x ** No longer affects: mutter (Ubuntu) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mutter in Ubuntu. https://bugs.launchpad.net/bugs/2031406 Title: [MIR] libei Status in libei package in Ubuntu: Fix Released Bug description: [Availability] - The package libei is already in Ubuntu universe. - The package libei builds for the architectures it is designed to work on. - Link to package https://launchpad.net/ubuntu/+source/libei [Rationale] - The package libei is required in Ubuntu main as a new required dependency for Mutter 45 - The package libei will generally be useful for a large part of our user base - The package libei is a new runtime dependency of package mutter that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. The package libei is required in Ubuntu main no later than August 17 due to Ubuntu 23.10 Feature Freeze. Obviously, that's an unrealistic deadline but the dependency is in mantic-proposed now (some other work is necessary for mutter to migrate out of mantic-proposed). It might be possible to temporarily vendor libei into Mutter. [Security] - No CVEs/security issues in this software in the past (new software, only packaged now in Ubuntu) - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) libei is a library for emulated input. It can forward physical or logical device input for use by things like GNOME Remote Desktop or sandboxed apps or for fake input for automated actions (like could be done with xdotool). [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libei/ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libei (not in Debian yet) - Upstream https://gitlab.freedesktop.org/libinput/libei/-/issues [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 Note that the build test failures are temporarily ignored on s390x which is not a supported Ubuntu Desktop architecture, but the issue has been reported upstream and is being worked on: https://gitlab.freedesktop.org/libinput/libei/-/issues/41 - The package does not run an autopkgtest because we haven't written one yet. We may run upstream's build test with our autopkgtest architecture. - Some tests using libei also have been added to Mutter and we do run Mutter's tests both at build time and as installed tests with autopkgtest https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2628/commits [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules https://salsa.debian.org/jbicha/libei/-/blob/debian-unstable/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Desktop Packages - Team is not yet, but will subscribe to the package before promotion - This does not use static builds - The team Desktop Packages is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). Currently, the libei packaging includes a vendored copy of munit since munit is not packaged for Debian or Ubuntu yet. This is an optional build-time dependency only used by the test suite and does not add any run-time dependencies. https://gi
[Desktop-packages] [Bug 2031406] Re: [MIR] libei
** Changed in: libei (Ubuntu) Importance: Undecided => High ** Changed in: libei (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mutter in Ubuntu. https://bugs.launchpad.net/bugs/2031406 Title: [MIR] libei Status in libei package in Ubuntu: Fix Released Status in mutter package in Ubuntu: New Bug description: [Availability] - The package libei is already in Ubuntu universe. - The package libei builds for the architectures it is designed to work on. - Link to package https://launchpad.net/ubuntu/+source/libei [Rationale] - The package libei is required in Ubuntu main as a new required dependency for Mutter 45 - The package libei will generally be useful for a large part of our user base - The package libei is a new runtime dependency of package mutter that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. The package libei is required in Ubuntu main no later than August 17 due to Ubuntu 23.10 Feature Freeze. Obviously, that's an unrealistic deadline but the dependency is in mantic-proposed now (some other work is necessary for mutter to migrate out of mantic-proposed). It might be possible to temporarily vendor libei into Mutter. [Security] - No CVEs/security issues in this software in the past (new software, only packaged now in Ubuntu) - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) libei is a library for emulated input. It can forward physical or logical device input for use by things like GNOME Remote Desktop or sandboxed apps or for fake input for automated actions (like could be done with xdotool). [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libei/ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libei (not in Debian yet) - Upstream https://gitlab.freedesktop.org/libinput/libei/-/issues [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 Note that the build test failures are temporarily ignored on s390x which is not a supported Ubuntu Desktop architecture, but the issue has been reported upstream and is being worked on: https://gitlab.freedesktop.org/libinput/libei/-/issues/41 - The package does not run an autopkgtest because we haven't written one yet. We may run upstream's build test with our autopkgtest architecture. - Some tests using libei also have been added to Mutter and we do run Mutter's tests both at build time and as installed tests with autopkgtest https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2628/commits [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules https://salsa.debian.org/jbicha/libei/-/blob/debian-unstable/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Desktop Packages - Team is not yet, but will subscribe to the package before promotion - This does not use static builds - The team Desktop Packages is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). Currently, the libei packaging includes a vendored copy of munit since munit is not packaged for Debian or Ubuntu yet. This is an optional build-time dependency only
[Desktop-packages] [Bug 2031406] Re: [MIR] libei
The security team acked the request and autopkgtests got added, simple build testcases and upstream tests https://autopkgtest.ubuntu.com/packages/libe/libei s390x is currently failing but a fix got proposed upstream and it's not considered as a desktop architecture so let's not block on that it should be good to promote so doing it now to avoid extra delays, Lukas let us know if there was something else more you wanted to see done there and will address it in the next upload -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mutter in Ubuntu. https://bugs.launchpad.net/bugs/2031406 Title: [MIR] libei Status in libei package in Ubuntu: New Status in mutter package in Ubuntu: New Bug description: [Availability] - The package libei is already in Ubuntu universe. - The package libei builds for the architectures it is designed to work on. - Link to package https://launchpad.net/ubuntu/+source/libei [Rationale] - The package libei is required in Ubuntu main as a new required dependency for Mutter 45 - The package libei will generally be useful for a large part of our user base - The package libei is a new runtime dependency of package mutter that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. The package libei is required in Ubuntu main no later than August 17 due to Ubuntu 23.10 Feature Freeze. Obviously, that's an unrealistic deadline but the dependency is in mantic-proposed now (some other work is necessary for mutter to migrate out of mantic-proposed). It might be possible to temporarily vendor libei into Mutter. [Security] - No CVEs/security issues in this software in the past (new software, only packaged now in Ubuntu) - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) libei is a library for emulated input. It can forward physical or logical device input for use by things like GNOME Remote Desktop or sandboxed apps or for fake input for automated actions (like could be done with xdotool). [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libei/ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libei (not in Debian yet) - Upstream https://gitlab.freedesktop.org/libinput/libei/-/issues [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 Note that the build test failures are temporarily ignored on s390x which is not a supported Ubuntu Desktop architecture, but the issue has been reported upstream and is being worked on: https://gitlab.freedesktop.org/libinput/libei/-/issues/41 - The package does not run an autopkgtest because we haven't written one yet. We may run upstream's build test with our autopkgtest architecture. - Some tests using libei also have been added to Mutter and we do run Mutter's tests both at build time and as installed tests with autopkgtest https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2628/commits [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules https://salsa.debian.org/jbicha/libei/-/blob/debian-unstable/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Desktop Packages - Team is not yet, but will subscribe to the package before promotion - This does not use static builds - The team Desktop Packages is aware of the implications of vendored code and (as a
[Desktop-packages] [Bug 2031406] Re: [MIR] libei
I reviewed libei 1.0.0-0ubuntu2 as checked into mantic. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libei is a library to emulate input, particularly for the Wayland graphics stack. It provides 3 components - libei - the library to emulate inputs on the client side - libeis - a library to process these inputs on the server side - oeffis - a library for communicating with the XDG RemoteDesktop Portal - CVE History - None - Build-Depends - No interesting / security relevant dependencies - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus system/session services - No setuid binaries - No binaries in PATH - No sudo fragments - No polkit files - No udev rules - unit tests / autopkgtests - No autopkgtests but since this package is just a library with minimal external depencies, I don't think this should be a blocker. - unit tests look quite comprehensive: 1/9 libei / unit-tests-utils OK 0.02s 2/9 libei / unit-tests-ei OK 0.02s 3/9 libei / unit-tests-eisOK 0.02s 4/9 libei / unit-tests-oeffis OK 0.01s 5/9 libei / eierpeckenOK 0.08s 6/9 libei:python / python-black OK 0.49s 7/9 libei:python / scanner-pytest OK 0.52s 8/9 libei:python / oeffis-pytest OK 2.58s 9/9 libei:python / protocol-test OK 6.61s Ok: 9 Expected Fail: 0 Fail: 0 Unexpected Pass:0 Skipped:0 Timeout:0 - No cron jobs - Build logs contain a couple warnings - the second of which should ideally be fixed: ../tools/ei-demo-client.c:102:9: warning: ignoring return value of read declared with attribute warn_unused_result [-Wunused-result] ../src/util-sources.c:311:9: warning: ignoring return value of read declared with attribute warn_unused_result [-Wunused-result] - No processes spawned - Memory management - Given this is written in C there is suprisingly little dynamic memory management - when malloc() etc are used, the code has a tendency to use assert() to die immediately if memory fails to be allocated. Whilst not very graceful, this is pretty standard in higher order libraries like glib etc so is not really concerning to see it here. In general the code appears quite defensive too. - File IO - Only really used for creating a lock file and reading its own cmdline - again this is quite safe. - Logging - Appears quite careful, no apparent uses of directives that might be vulnerable to string-format attacks etc - Environment variable usage - Only uses XDG_RUNTIME_DIR and its own LIBEI_SOCKET environment variables - No apparent use of privileged functions - Uses rand() to assign a non-overlapping token for requests to xdg-desktop-portal - this is fine, they are not expected to be cryptographically secure etc, they just need to be unique within a session - No use of temp files - Uses AF_UNIX sockets for local communication - No use of WebKit - No use of PolicyKit - No significant cppcheck results - One significant Coverity result - I reported this upstream https://gitlab.freedesktop.org/libinput/libei/-/issues/43 who fixed it within 24 hours - along with a related issue they noticed - No significant shellcheck results - No significant bandit results - all issues identified are in the test suite and most can be ignored (ie. use of assert etc.) - No significant govulncheck results - No significant Semgrep results In general libei looks to be quite a well-written and maintained code- base. The upstream is responsive to issues and easy to work with as well. Security team ACK for promoting libei to main. ** Bug watch added: gitlab.freedesktop.org/libinput/libei/-/issues #43 https://gitlab.freedesktop.org/libinput/libei/-/issues/43 ** Changed in: libei (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mutter in Ubuntu. https://bugs.launchpad.net/bugs/2031406 Title: [MIR] libei Status in libei package in Ubuntu: New Status in mutter package in Ubuntu: New Bug description: [Availability] - The package libei is already in Ubuntu universe. - The package libei builds for the architectures it is designed to work on. - Link to package https://launchpad.net/ubuntu/+source/libei [Rationale] - The package libei is required in Ubuntu main as a new required dependency for Mutter 45 - The package libei will generally be useful for a large part of our user base - The package libei is a new runtime dependency of package mutter that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. The package libei is required in Ubuntu main no later than August 17 due to Ubuntu 23.10 Feature Freeze. O
[Desktop-packages] [Bug 2031406] Re: [MIR] libei
> #7 Help upstream to resolve the s390x endianess issues, so we can re-enable > all tests https://gitlab.freedesktop.org/libinput/libei/-/issues/41 I've done some analisys there of the remaining issue, we should be green soon! -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mutter in Ubuntu. https://bugs.launchpad.net/bugs/2031406 Title: [MIR] libei Status in libei package in Ubuntu: New Status in mutter package in Ubuntu: New Bug description: [Availability] - The package libei is already in Ubuntu universe. - The package libei builds for the architectures it is designed to work on. - Link to package https://launchpad.net/ubuntu/+source/libei [Rationale] - The package libei is required in Ubuntu main as a new required dependency for Mutter 45 - The package libei will generally be useful for a large part of our user base - The package libei is a new runtime dependency of package mutter that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. The package libei is required in Ubuntu main no later than August 17 due to Ubuntu 23.10 Feature Freeze. Obviously, that's an unrealistic deadline but the dependency is in mantic-proposed now (some other work is necessary for mutter to migrate out of mantic-proposed). It might be possible to temporarily vendor libei into Mutter. [Security] - No CVEs/security issues in this software in the past (new software, only packaged now in Ubuntu) - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) libei is a library for emulated input. It can forward physical or logical device input for use by things like GNOME Remote Desktop or sandboxed apps or for fake input for automated actions (like could be done with xdotool). [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libei/ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libei (not in Debian yet) - Upstream https://gitlab.freedesktop.org/libinput/libei/-/issues [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 Note that the build test failures are temporarily ignored on s390x which is not a supported Ubuntu Desktop architecture, but the issue has been reported upstream and is being worked on: https://gitlab.freedesktop.org/libinput/libei/-/issues/41 - The package does not run an autopkgtest because we haven't written one yet. We may run upstream's build test with our autopkgtest architecture. - Some tests using libei also have been added to Mutter and we do run Mutter's tests both at build time and as installed tests with autopkgtest https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2628/commits [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules https://salsa.debian.org/jbicha/libei/-/blob/debian-unstable/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Desktop Packages - Team is not yet, but will subscribe to the package before promotion - This does not use static builds - The team Desktop Packages is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). Currently, the libei packaging includes a vendored copy of munit since mu
[Desktop-packages] [Bug 2031406] Re: [MIR] libei
** Tags added: sec-2617 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mutter in Ubuntu. https://bugs.launchpad.net/bugs/2031406 Title: [MIR] libei Status in libei package in Ubuntu: New Status in mutter package in Ubuntu: New Bug description: [Availability] - The package libei is already in Ubuntu universe. - The package libei builds for the architectures it is designed to work on. - Link to package https://launchpad.net/ubuntu/+source/libei [Rationale] - The package libei is required in Ubuntu main as a new required dependency for Mutter 45 - The package libei will generally be useful for a large part of our user base - The package libei is a new runtime dependency of package mutter that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. The package libei is required in Ubuntu main no later than August 17 due to Ubuntu 23.10 Feature Freeze. Obviously, that's an unrealistic deadline but the dependency is in mantic-proposed now (some other work is necessary for mutter to migrate out of mantic-proposed). It might be possible to temporarily vendor libei into Mutter. [Security] - No CVEs/security issues in this software in the past (new software, only packaged now in Ubuntu) - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) libei is a library for emulated input. It can forward physical or logical device input for use by things like GNOME Remote Desktop or sandboxed apps or for fake input for automated actions (like could be done with xdotool). [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libei/ - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libei (not in Debian yet) - Upstream https://gitlab.freedesktop.org/libinput/libei/-/issues [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 Note that the build test failures are temporarily ignored on s390x which is not a supported Ubuntu Desktop architecture, but the issue has been reported upstream and is being worked on: https://gitlab.freedesktop.org/libinput/libei/-/issues/41 - The package does not run an autopkgtest because we haven't written one yet. We may run upstream's build test with our autopkgtest architecture. - Some tests using libei also have been added to Mutter and we do run Mutter's tests both at build time and as installed tests with autopkgtest https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2628/commits [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/libei/1.0.0-0ubuntu2 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules https://salsa.debian.org/jbicha/libei/-/blob/debian-unstable/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Owning Team will be Desktop Packages - Team is not yet, but will subscribe to the package before promotion - This does not use static builds - The team Desktop Packages is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). Currently, the libei packaging includes a vendored copy of munit since munit is not packaged for Debian or Ubuntu yet. This is an optional build-time dependency only used by the test suite and does not add any run-time dependencies. https://github.com/nemequ/munit - This p