** Description changed: [Availability] - TODO: The package must already be in the Ubuntu universe, and must build - for the architectures it is designed to work on. + - Package is already in Ubuntu universe and was added in focal: - TODO: mention which binaries we actually want (if the package builds - more than one). Check the dependency-tree.txt file which binary we - actually need vs the debian/control file in the source + libslirp | 4.0.0-2 | focal/universe | source + libslirp0 | 4.0.0-2 | focal/universe | amd64, arm64, armhf, ppc64el, s390x + + - Source package builds: libslirp0 and libslirp-dev: + + $ dpkg -L libslirp0 + /. + /usr + /usr/lib + /usr/lib/x86_64-linux-gnu + /usr/lib/x86_64-linux-gnu/libslirp.so.0.0.0 + /usr/share + /usr/share/doc + /usr/share/doc/libslirp0 + /usr/share/doc/libslirp0/changelog.Debian.gz + /usr/share/doc/libslirp0/copyright + /usr/lib/x86_64-linux-gnu/libslirp.so.0 + + $ dpkg -L libslirp-dev + /. + /usr + /usr/include + /usr/include/slirp + /usr/include/slirp/libslirp-version.h + /usr/include/slirp/libslirp.h + /usr/lib + /usr/lib/x86_64-linux-gnu + /usr/lib/x86_64-linux-gnu/pkgconfig + /usr/lib/x86_64-linux-gnu/pkgconfig/slirp.pc + /usr/share + /usr/share/doc + /usr/share/doc/libslirp-dev + /usr/share/doc/libslirp-dev/copyright + /usr/lib/x86_64-linux-gnu/libslirp.so + /usr/share/doc/libslirp-dev/changelog.Debian.gz [Rationale] - TODO: check if this code (or older versions of it) was part of mailman2 - already - if it was leave here: This code was formerly part of mailman2 - which is in main, but was split into an extra package and evolved from - there on its own) + The library, whose this package distributes, was part of QEMU, and has + been spinned off just recently: + + commit 7c57bdd820 + Author: Marc-André Lureau <marcandre.lur...@redhat.com> + Date: Wed Apr 24 08:00:41 2019 + + build-sys: move slirp as git submodule project + + The slirp project is now hosted on freedesktop at: + https://gitlab.freedesktop.org/slirp. + + The libslirp source was extracted from qemu/slirp filtered through + clang-format (available in project tree). The qemu slirp directory can + be swapped by a git submodule. + + Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> + Message-Id: <20190424110041.8175-3-marcandre.lur...@redhat.com> + Signed-off-by: Samuel Thibault <samuel.thiba...@ens-lyon.org> + + But it is still used as a dependency for QEMU project (CONFIG_SLIRP), + and that's why it should, IMO, be maintained in [main]. [Security] - TODO: check the security History of the package - - http://people.ubuntu.com/~ubuntu-security/cve/universe.html - - http://cve.mitre.org/cve/cve.html + - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libslirp - shows 2 + CVEs: + + - CVE-2019-15890 - libslirp 4.0.0 has a use-after-free in ip_reass in ip_input.c. + - CVE-2019-14378 - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. + + - both cves were handled by Debian as well: + + - https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html + - https://www.debian.org/security/2019/dsa-4506 [Quality assurance] - The mailman3 stacks as of now (Disco) installs fine and provides a base - config. But due to the nature of the package that needs further modification - to be of real use. + - Both package install fine. libslirp-dev correctly includes the .so + alias to latest libslirp0 .so.0 file. - TODO: The package must not ask debconf questions higher than medium if - it is going to be installed by default. The debconf questions must have - reasonable defaults. + - Packages don't have any debconf questions. - TODO: There are no long-term outstanding bugs which affect the usability - of the program to a major degree. To support a package, we must be - reasonably convinced that upstream supports and cares for the package. + - No long-term outstanding issues: - TODO: The status of important bugs in Debian's, Ubuntu's, and upstream's - bug tracking systems must be evaluated. Important bugs must be pointed - out and discussed in the MIR report. + * There are no bugs in launchpad for libslirp + * There are no bugs in Debian project for libslirp + * There are 3 on-going registered issues upstream: + - To make slirp as a standalone process and not a lib. + - To rewrite slip in rust (some examples given, nothing big) + - Create integration with OSS fuzz project + * Fixes to be merged: - TODO: The package is maintained well in Debian/Ubuntu (check out the - Debian PTS) + - Overall package seems really well maintained, specially by Marc-André + from the QEMU team. - TODO: The package should not deal with exotic hardware which we cannot - support. + - Important bugs: + - https://gitlab.freedesktop.org/slirp/libslirp/merge_requests/20/commits + - we should make sure to include those fixes before feature freeze - TODO: If the package ships a test suite, and there is no obvious reason - why it cannot work during build (e. g. it needs root privileges or - network access), it should be run during package build, and a failing - test suite should fail the build. + - Package does NOT deal with exotic hardware. - TODO: The package uses a debian/watch file whenever possible. In cases - where this is not possible (e. g. native packages), the package should - either provide a debian/README.source file or a debian/watch file (with - comments only) providing clear instructions on how to generate the - source tar file. + - Packages does NOT have any DEP8 tests. Upstream has a TODO on + integrating source code with automated fuzzing only. A consumer project + (https://github.com/rootless-containers/slirp4netns/) seem to have tests + that stress libslirp and that could help us in bringing something as + DEP8 tests. - TODO: It is often useful to run lintian --pedantic on the package to - spot the most common packaging issues in advance + - Package has debian/watch AND the MR asking it to be imported to git- + ubuntu was already done (https://code.launchpad.net/~rafaeldtinoco/usd- + importer/+git/usd-importer/+merge/376164). - TODO: The package should not rely on obsolete or about to be demoted - packages. That currently includes package dependencies on Python2 - (without providing Python3 packages), and packages depending on GTK2. + - There are some lintian warnings: + + $ lintian --pedantic ../libslirp_4.0.0-2.dsc + P: libslirp source: debian-rules-not-executable + P: libslirp source: file-contains-trailing-whitespace debian/control (line 35) + P: libslirp source: package-uses-old-debhelper-compat-version 11 + P: libslirp source: rules-requires-root-missing + P: libslirp source: unversioned-copyright-format-uri http://dep.debian.net/deps/dep5 + P: libslirp source: uses-debhelper-compat-file + + that should be fixed. + + - Package does not rely on obsolete dependencies. [UI standards] - TODO: End-user applications must be internationalized (translatable), - using the standard intltool/gettext build and runtime system and produce - a proper PO template during build. - - TODO: End-user applications must ship a standard conformant desktop - file. + N/A [Dependencies] - Some dependencies are not in main, but we drive MIR for all related packages - that are not in main at the same time. + - All the dependencies are in [main]: - Please check the list of bugs from the main Mailman3 MIR to get an - overview. + $ apt-cache depends libslirp0 + libslirp0 + Depends: libc6 + Depends: libglib2.0-0 + + $ apt-cache depends libslirp-dev + libslirp-dev + Depends: libslirp0 [Standards compliance] - TODO: The package should meet the FHS and Debian Policy standards. + - Package DOES follow the FHS and Debian Policy standards (4.4.1). - TODO: Major violations should be documented and justified. - - TODO: Also, the source packaging should be reasonably easy to understand - and maintain. + - Source package is quite simple. [Maintenance] - The Server team will subscribe for the package for maintenance + - The Server team will subscribe for the package for maintenance. + - Package is maintained by the QEMU Debian team also. [Background] - TODO: The package descriptions should explain the general purpose and - context of the package. Additional explanations/justifications should be - done in the MIR report. + General purpose TCP-IP emulator library (development files) libslirp is + a user-mode networking library used by virtual machines, containers or + various tools. + + In QEMU, libslirp is used by the NET_CLIENT_DRIVER_USER for the legacy + network drivers. It is also key part of recent rootless-containers + initiatives (slirp4netns, for example).
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854404 Title: [MIR] libslirp (as it was part of QEMU) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libslirp/+bug/1854404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
