[Bug 1907284] Re: [MIR] u-boot-menu
Łukasz, the Ubuntu Security Team is indeed okay with promoting this to main for focal as well. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
Override component to main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal: universe/misc -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal amd64: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal arm64: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal armhf: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal i386: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal ppc64el: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal riscv64: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu5~20.04.1 in focal s390x: universe/admin/optional/100% -> main Override [y|N]? y 8 publications overridden. ** Also affects: u-boot-menu (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: u-boot-menu (Ubuntu Focal) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
As we're backporting riscv unmatched board support to 20.04.3, along with the hirsute version of the package, we will need to promote u-boot- menu from universe to main in focal-proposed (and focal-updates then). There are no real rdeps of this - and since the package is identical to the one in hirsute that is already in main, let me perform the promotion. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
Override component to main u-boot-menu 4.0.2ubuntu3 in hirsute: universe/misc -> main u-boot-menu 4.0.2ubuntu3 in hirsute amd64: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu3 in hirsute arm64: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu3 in hirsute armhf: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu3 in hirsute i386: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu3 in hirsute ppc64el: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu3 in hirsute riscv64: universe/admin/optional/100% -> main u-boot-menu 4.0.2ubuntu3 in hirsute s390x: universe/admin/optional/100% -> main 8 publications overridden. ** Changed in: u-boot-menu (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
This is in component mismatches, thereby Fix Committed and ready for an AA to promote. ** Changed in: u-boot-menu (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
This is a short and sweet package, so I'll skip the full boilerplate:
No cves, no setuid executables, no use of complex frameworks, no sudo
fragments, no initscripts or systemd units, it's really just a few
shellscripts that look like they were well-written.
I wish it were a quilt package rather than a patchless package but
changing that just on the off-chance that we have to do work on this is
probably more work than it deserves.
There were some shellcheck results, but they're probably not security
critical, there shouldn't be untrusted inputs into this tool.
Security team ACK for promoting u-boot-menu to main.
Thanks
shellcheck results (I trimmed it a bit):
./u-boot-update:100:8: note: read without -r will mangle backslashes. [SC2162]
./u-boot-update:103:1: note: read without -r will mangle backslashes. [SC2162]
./u-boot-update:103:24: warning: _FS_VFSTYPE appears unused. Verify it or
export it. [SC2034]
./u-boot-update:103:36: warning: _FS_MNTOPS appears unused. Verify it or export
it. [SC2034]
./u-boot-update:103:47: warning: _FS_FREQ appears unused. Verify it or export
it. [SC2034]
./u-boot-update:103:56: warning: _FS_PASSNO appears unused. Verify it or export
it. [SC2034]
./u-boot-update:121:15: note: To read lines rather than words, pipe/redirect to
a 'while read' loop. [SC2013]
./u-boot-update:172:27: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:178:23: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:178:40: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:178:52: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:181:25: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:181:42: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:184:25: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:184:42: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:194:10: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:209:10: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:220:26: note: See if you can use ${variable//search/replace}
instead. [SC2001]
./u-boot-update:220:31: note: Double quote to prevent globbing and word
splitting. [SC2086]
./u-boot-update:225:14: note: $/${} is unnecessary on arithmetic variables.
[SC2004]
./zz-sync-dtb:30:17: note: Double quote to prevent globbing and word splitting.
[SC2086]
** Changed in: u-boot-menu (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1907284
Title:
[MIR] u-boot-menu
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
** Changed in: u-boot-menu (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
[Summary] This is a small package that provides only a bash script and some kernel postinst/prerm hooks. There are no concerning problems with the package, so ACK from MIR team. As this script deals with configuration of the boot-time menu, and thus affects code started at boot time, this does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: u-boot-menu Notes: There are 2 identified issues (aside from needing security review), as listed in the details below, but I don't feel either are important enough to block MIR: 1. There is no build-time or autopkgtest test cases, but this is a single simple script. 2. The Ubuntu devel version lags behind Debian but only by a single minor version. [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - no CVEs found - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does involve control of boot [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber - no translation present, but none needed for this case - not a python/go package, no extra constraints to consider int hat regard Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - d/watch not applicable, native package - Upstream update history is good - Debian/Ubuntu update history is good - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using - Not Go Package Problems: - the current release is not packaged in hirsute, but 1 minor version behind [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: u-boot-menu (Ubuntu) Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907284] Re: [MIR] u-boot-menu
** Changed in: u-boot-menu (Ubuntu) Assignee: (unassigned) => Dan Streetman (ddstreet) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
