Public bug reported: Hello, the Ubuntu Security Team would like the libopenscap8 binary package from openscap promoted to main. libopenscap8 is incorporated into the CVEscan snap: https://github.com/canonical/sec- cvescan/blob/master/snapcraft.yaml
One wrinkle is that we'd like libopenscap8 from an existing release moved into main, so that it can be used by the snapcraft build process. I don't know the snap ecosystem well enough to know if CVEscan can be ported to the core20 world or if it must remain in core18 world. So we may like openscap from 18.04 LTS or openscap from 20.04 LTS retroactively promoted to main. [Availability] openscap is in universe. [Rationale] The Ubuntu Security Team would like the libopenscap8 binary package from openscap promoted to main. libopenscap8 is incorporated into the CVEscan snap: https://github.com/canonical/sec-cvescan/blob/master/snapcraft.yaml [Security] As the intention is to use libopenscap8 in security software, it may make sense to require a security review. However, the package has no executables, no setuid or setgid files, does not daemonize or otherwise itself run a persistent service, and does not open listening ports. [Quality assurance] - No configuration is necessary to use the library, though applications that use this library will need to be configured. - grep -ri debconf returns no results. - The Debian package appears to be in an unfortunate state: - Still provides a python2 package, no python3 package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=937211 - A segfault with upstream fix has been ignored: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932120 - The upstream fix for the segfault was intermingled with an unrelated new feature: - https://github.com/OpenSCAP/openscap/pull/1387/commits - Upstream bug tracker has many open issues, some security relevant issues open for years. - The Ubuntu bug tracker has very few open issues; the most important one is the segfault that has been ignored in Debian. The SRU appears stalled: - https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682 - tests are not run (see debian/rules) - debian/watch exists - lintian messages: E: openscap source: source-is-missing xsl/xccdf-resources/bootstrap.min.js E: openscap source: source-is-missing xsl/xccdf-resources/openscap.js line length is 263 characters (>256) W: openscap source: python-foo-but-no-python3-foo python-openscap [Dependencies] All dependencies of the libopenscap8 library are in main. The source package is less happy: Build-Depends: - dh-python - python-defaults - swig [Standards compliance] - I didn't spot FHS problems in the libopenscap8 binary package. - Unknown Debian policy compliance. - Quilt package [Maintenance] Security team will subscribe to bugs. [Background information] SCAP is an assertions language that is popular in the security communities for standardizing data streams. It can be used both for encoding information about vulnerable packages (as our OVAL data currently describes) as well as providing rules to measure compliance with published security standards. Thanks ** Affects: openscap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877696 Title: [MIR] openscap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1877696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
