[Bug 2052652] Re: [MIR] gnome-snapshot
it was demoted, unsure who promoted it back but yes it seems we need an ubuntu-desktop upload for the component mismatch to go away, updating the seed wasn't enough -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
Please make sure src:cheese gets demoted properly. It seems to be back in "main" now. seb128> slyon, I think we need an upload of ubuntu-desktop which didn't happen yet -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
Thanks, we hve a +1 from the security team now I've - promoted gstreamer1.0-libcamera to main - demoted -S cheese - subscribed the desktop-packages team to the package on launchpad Which were the remaining 'required' items from the MIR side, we will try to address the recommended one still but that's enough for now so I'm promoted gnome-snapshot (the desktop seed has also been updated to cheese -> gnome-snapshot) $ ./change-override -c main -S gnome-snapshot Override component to main gnome-snapshot 45.2+vendored-0ubuntu1 in noble: universe/misc -> main gnome-snapshot 45.2+vendored-0ubuntu1 in noble amd64: universe/gnome/optional/100% -> main gnome-snapshot 45.2+vendored-0ubuntu1 in noble arm64: universe/gnome/optional/100% -> main gnome-snapshot 45.2+vendored-0ubuntu1 in noble armhf: universe/gnome/optional/100% -> main gnome-snapshot 45.2+vendored-0ubuntu1 in noble ppc64el: universe/gnome/optional/100% -> main gnome-snapshot 45.2+vendored-0ubuntu1 in noble riscv64: universe/gnome/optional/100% -> main gnome-snapshot 45.2+vendored-0ubuntu1 in noble s390x: universe/gnome/optional/100% -> main Override [y|N]? y 7 publications overridden. ** Changed in: gnome-snapshot (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
I reviewed gnome-snapshot 45.2+vendored-0ubuntu2 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. Due to time constraints, this report only took into account the package itself, and not its significant number (244) of vendored libraries. Many of those should be removed as mentioned in https://gitlab.gnome.org/GNOME/snapshot/-/issues/137. However, none of the used ones are non-standard. For now, the following audit is only going to report findings in the source code of the Rust package gnome-snapshot. gnome-snapshot is a camera application designed for GNOME environments, offering straightforward functionality for capturing photos and videos across various devices. It is a new package, and it serves as an updated replacement for older GNOME camera apps. - CVE History - None, package is new - Build-Depends - Many vendored libraries, some of them not needed (eg: https://gitlab.gnome.org/GNOME/snapshot/-/issues/137) - pre/post inst/rm scripts - None - init scripts - None - systemd units - None - dbus services - None - setuid binaries - None - binaries in PATH - None - sudo fragments - None - polkit files - None - udev rules - None - unit tests / autopkgtests - Unit tests ran during build - Absence of autopkgtests, already a recomended TODO by the MIR team - cron jobs - None - Build logs - No warnings / errors during build - Processes spawned - Does not interact with user input, thus not susceptible to any command injection attacks or unsafe arguments - Memory management - Mostly using Rust's memory safe features - "unsafe" stanzas look non-problematic - File IO - Nature of the package requires I/O interaction with local storage - Unsafe processing of user-owned files, already-existing in the system by calling open_with_system() in gallery.js, which does not filter file types, as mentioned in a TODO by the developers in line 301, and can result in the processing of untrusted files. However, given the threat model (user-owned files and user-owned machine), this is not concerning as even with filtering, the user could rename the files and process them - Logging - Safe, does not include user input - Environment variable usage - Can not be abused - Use of privileged functions - Only used for installing dependecies - Use of cryptography / random number sources etc - None, not needed due to the nature of the package - Use of temp files - None - Use of networking - None, only inter-process communication to respond to GUI events - Use of WebKit - None - Use of PolicyKit - None - Any significant cppcheck results - None - Any significant Coverity results - None - Any significant shellcheck results - None - Any significant bandit results - None - Any significant govulncheck results - None - Any significant Semgrep results - None Security team ACK for promoting gnome-snapshot to main. Overall, the package is well-written, and developed in a memory-safe language, something that makes us believe that it will be less susceptible to vulnerabilities in the future. Moreover, it is maintained by GNOME, leading us to trust that the code will be well-maintained and monitored for vulnerabilities in the future. When it comes to the code itself, along with the above-mentioned issue of processing local files without filtering, it contains many non-security related TODOs by the developers, which is due to the young age of the package. We believe and suggest that those will be resolved in the near future. ** Changed in: gnome-snapshot (Ubuntu) Status: Incomplete => In Progress ** Changed in: gnome-snapshot (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
#1 still pending #2 +1 $ find . | grep "\.a" does not return anything anymore #3 +1 $ CARGO_VENDOR_DIR=debian/missing-sources /usr/share/cargo/bin/dh-cargo-vendored-sources is happy, so am I. This should fulfil the minimum requirement. #4 still pending #5 +1, thanks! LGTM! MIR team ACK, just pending: * security ACK * demotion of src:cheese * promotion of gstreamer1.0-libcamera binary (src:libcamera), which seems to be ready according to LP: #1997560 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
I uploaded https://launchpad.net/ubuntu/+source/gnome- snapshot/46.0-1ubuntu1 It ended up being an overhaul of the packaging to try to meet MIR expectations. This is my subteam's first time with a Rust app so it's understandable that we're still learning. It now uses the same minimal upstream tarball as Debian. And then we specifically run cargo vendor ourselves in the debian/missing-sources/ directory so that we can update the vendored crates at any time. #2 try getting rid of pre-compiled static libraries It looks to me like the only .a files now are in the Windows crates. There was one false positive, an empty .a file for systemdeps but I've removed that from our vendoring with a slight hack in debian/rules to restore it when needed. #3 Improve tracking of vendored Rust dependencies (e.g. using dh_cargo), I at least am now using XS-Vendored-Sources-Rust. This app uses meson as its build system so it's unclear to me where I could inject dh_cargo commands. I can follow up later with Foundations to see if this can be improved but I'm guessing it meets the minimum requirement here. #5 Document how to refresh the vendored dependencies https://salsa.debian.org/ubuntu-dev- team/snapshot/-/blob/ubuntu/latest/debian/README.source #7 Consider implementing autopkgtests, using a simulated video device I don't hav #8 Give clearer guidance on where and how packaging will be hosted (e.g. using Vcs-Git control fields) And how the Ubuntu delta will be handled going forward, see bug #2054163 The Vcs-Git fields are updated and a debian/README.source is provided to document details. #9 consider fixing some of the more relevant lintian warnings: No errors are emited now. Snapshot has no relevant command line options so a manpage doesn't seem helpful. hardening-no-fortify-functions is often a false positive. It is currently classified as "informational" which suggests that Debian isn't confident enough in this tag. Vendoring actually increased the pedantic warnings with several instances of maintainer-manual-page [debian/missing-sources/ package-does-not-install-examples [debian/missing-sources/ and one instance of source: unknown-field Vendored-Sources-Rust Windows --- There isn't an easy way to remove the Windows crates. Possibly the crates could be patched to not require the Windows dependencies, but remember that the crates aren't part of the upstream source here so it would be patching after we run the crate vendor command, which is unusual but might be able to work. Those patches may need to be frequently rebased. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
There are unnecessary crates being vendored. I filed an upstream issue: https://gitlab.gnome.org/GNOME/snapshot/-/issues/137 This causes a bandwidth strain on mirrors or wherever the source package is needed. To be clear, this is not a Security issue and does not impact Security's review (since owning team is responsible for maintaining security of vendored packages). This pattern has been raised as a MIR issue: https://github.com/canonical/ubuntu-mir/issues/51 ** Bug watch added: gitlab.gnome.org/GNOME/snapshot/-/issues #137 https://gitlab.gnome.org/GNOME/snapshot/-/issues/137 ** Bug watch added: github.com/canonical/ubuntu-mir/issues #51 https://github.com/canonical/ubuntu-mir/issues/51 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
** Changed in: gnome-snapshot (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Tags added: sec-3916 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
