[Summary]
The further dependencies AND the testing really needs effort to be spent.
But for the package itself from a pure MIR/Packaging POV ACK.
This does need a security review, so I'll assign ubuntu-security
List specific binary packages to be promoted to main: golang-github-gcp-
guest-logging-go-dev
TODO for package or context owner:
Another word on testing...:
It is important to mention that all of the packages in this stack are much more
"here a bit code, there a bit code and maybe things work" than huge mature
projects usually are. I understand that this is to some extend the nature of go
ecosystem. But there are go based projects which have coordinated releases of
main and dependent projects and more important coordinated testing end-to-end
as well as individually.
This should really be considered here at least for the scope of the full
guest-agent stack. Maybe there is some CI or end-to-end testing for the guest
agent already (I can't think about google working on this without). If there is
please add to the description what exists and what it tests in which scope.
If it comes down to a matrix of git-hashes (=go style package dependencies)
how could we ensure our combination (or even with SRUs considered plus patches)
is covered or could run the same tests?
[Duplication]
OK:
In terms of loggers there is the standard log api in golang and on top
golang-github-sirupsen-logrus-dev in main (compatible API structured logger).
But this package is not about that - it is about "guest-logging" which is
different.
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
Problems:
- other Dependencies to MIR due to this: golang-google-cloud-dev and
golang-google-genproto-dev will be needed, but they are already listed as
known TODO to extend the MIR about.
[Embedded sources and static linking]
- no embedded source present
- no static linking (except golang which makes build-deps real deps)
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
The problem is that many things will flow through here, and history shows that
a simple mistake in an in-between shim layer or such can be eventually fatal.
We should have a security review just to be sure and that might become true for
most of the follow on dependencies for the same reasons.
[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- Go package that uses dh-golang
Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
This is a general problem, I've added some words to the summary above.
- The package has a team bug subscriber
As I said please subscribe the team not only when promotes but now - this also
helps to see what you sign up for.
[Packaging red flags]
OK:
- Ubuntu does not carry a delta (This is Ubuntu only)
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- the current release is packaged (no releases, but git commits)
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using (only in the final package using it)
- Go Package that follows the Debian Go packaging guidelines
Problems:
- Ubuntu (no Debian) update history is too new to say anything about it
- Upstream update history is not too active (well they do no releases,
but commits are rare)
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (golang)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
Problems:
- The package contains a scary 220 entry go.sum file but that is just a
bad artifact. Build works without all those.
Yet the go.mod indicated a huge dependency list we need to cover.
I have added them to the TODO section in the description and an extra comment.
** Changed in: golang-github-gcp-guest-logging-go (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1894731
Title:
[MIR] golang-*, Go build dependencies of google-guest-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-github-gcp-guest-logging-go/+bug/1894731/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
