[Summary]
It looks rather good in general, but there are a few things that should be
improved/resolved before promoting this:
- the package needs a bug subscribing Team
- please update to 2.1.4 or 2.3.1 before we promote it
- also ensure that it will be updated regularly in the future
- please add proper symbols tracking via a .symbols file
- please help to resolve Debian bug 918973
- in any case the package needs a security review
- we can add you to the security review queue now, but for the MIR ack
please resolve the above
[Duplication]
OK:
Upstream switched from the optional universe tools tpm2-abrmd/tpm2-tools to the
hard dependency to this package.
>From just the description it seems similar to IBM TSS2
(http://ibmswtpm.sourceforge.net/ibmtss2.html).
But on one hand that is not in Main either and it seems that tpm2-tss is what
upstream projects select.
There are a few reverse deps to tpm2-tss but non to the IBM TSS2 atm.
The projects seem to know and coexist e.g. IBM-TSS2 simulator is used to test
tpm2-tss.
The short answer to this is, that there is no other equivalent functionality
in main yet.
[Embedded sources and static linking]
OK:
- no embedded libraries
- no static linking
- no go code
[Security]
OK:
- no past CVEs in tpm2-tss itself but e.g. CVE-2017-7524 in related tools
- runs no daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not opens a port
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Reasons to consider it security critical:
- it doesn't parses "data formats" but data on API calls which is the same
- it doesn't really processes arbitrary web content - but the scope in which
this came up is fwupd which means it will be part of processing content
(for updates). And since that content is downloaded it is to some extend
processing web content.
- while it doesn't deal with system auth with more FIDO2 coming up and the
TPM being the core of that it might still be important.
- Furthermore the whole purpose of this lib is to deal with the TPM which is
by default security relevant.
[Common blockers]
- builds fine currently (no FTBFS)
- unit tests are present which run at build time
- code isn't translatable, but also not end user facing
- no python code, so no special checks for that
Need to be resolved:
- no bug subscriber yet
[Packaging red flags]
OK:
- no Ubuntu delta
- debian/watch is present
- current maintainers are not MOTUs
- no massive Lintian warnings
- d/rules is small and clean
- d/control has no Built-Using
- does not use golang
- all sub-dependencies are in main libc6, libgcrypt20 and adduser
Should be resolved:
- updates are not slow or sporadic, but on the old version
- The current release is not packaged
2.1.0 October 2018
There is 2.3.1 most recent of August 2019
or at least 2.1.4 of May 28 (stable fixed for 2.1)
- It's a library, but lacks symbol tracking
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no Incautious use of malloc/sprintf (that I'd have seen)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (only in Dockerfile
and install.md)
- no use of User nobody
- no use of setuid
- no known important bugs (crashers, etc) in Debian or Ubuntu
- but https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918973 seems to be bad
enough that it should be resolved before promotion especially if needed
to be right for fwupd
- no Dependency on webkit, qtwebkit, seed or libgoa-*
- no Embedded source copies
- not in scope for the Unity Dash
** Bug watch added: Debian Bug tracker #918973
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918973
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7524
** Changed in: tpm2-tss (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1841595
Title:
[MIR] tpm2-tss
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tpm2-tss/+bug/1841595/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
