Review for Package: src:iwd [Summary] iwd (iNet Wireless Daemon) is a modern, up-and-coming wireless daemon for Linux. It is written by Intel and aims to replace wpa_supplicant for potential benefits in: - simplification of network management - faster network discovery - fast and reliable roaming - using less system resources - using features offered by the Linux kernel - support for enterprise security methods like EAP - support for kernel asymmetric key rings and trusted platform modules (TPM) - support for multiple clients
The package is in pretty good shape overall and has been discussed as a replacement for src:wpa since a long time ago (https://discourse.ubuntu.com/t/call-for-testing-improved-wifi-via- iwd/17795, LP: #1872060 and others). It would be nice to have iwd in main as a replacement for wpa. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does not need a security review. (TBC) => I'm still torn if we need security review for this package. It is in pretty good shape overall and uses strong security isolation in its systemd service, but still runs the daemon as root. I will consult with the rest of the MIR team and might assign it to ~ubuntu-security later on. List of specific binary packages to be promoted to main: iwd Specific binary packages built, but NOT to be promoted to main: <None> Notes: - The MIR talks about replacing wpa with iwd, could you please specify the plan for this in more detail, e.g. can we demote src:wpa at the same time as promoting src:iwd? - The src:iwd package contains an embedded source for "ell", but that is not being used during build. Required TODOs: #1: descibe how/when we will be able to demote src:wpa (wpa_supplicant) #2: Remove src:iwd from the lto-disabled list: LP: #1956950 And fix the LTO build or put the workaround into the package directly. #3: get src:ell MIR approved: LP: #1971738 Recommended TODOs: #4: The package should get a team bug subscriber before being promoted #5: Double-check if https://bugs.debian.org/1007097 could be a problem #6: work with upstream/debian to avoid autoconf warnings during build [Duplication] There is src:wpa (wpa_supplicant) in main, providing similar functionallity. There are some reverse-depends that would need to be adopted, if wpa is demoted: $ reverse-depends -c main src:wpa Reverse-Recommends * geoclue-2.0 (for wpasupplicant) * network-manager (for wpasupplicant) Reverse-Depends * ubuntu-desktop [amd64 arm64 armhf ppc64el] * ubuntu-desktop-minimal [amd64 arm64 armhf ppc64el] * ubuntu-desktop-raspi [arm64 armhf] * ubuntu-server-raspi [arm64 armhf] Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, ppc64el, s390x [Dependencies] OK: - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: - Depends on libell0, proposed for MIR: LP: #1971738 [Embedded sources and static linking] OK: - no static linking is used - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard - No vendoring used (embedded "ell" is unused) Problems: - embedded "ell" source present in ell/, but is not being used (d/rules specifies "--enable-external-ell" [Security] OK: - history of CVEs does not look concerning (two of the above mentioned CVEs don't even affect iwd, but a different "iwd" application) - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (except its ini-style config) - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - runs a daemon as root, but uses systemd's security/isolation features [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - no new python2 dependency Problems: None [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean Problems: - It is on the lto-disabled list: LP: #1956950 This should be fixed or the workaround should be directly in the package [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: - some warnings during the build (e.g. obsolet autoconf macros: AC_LANG_C, AC_HELP_STRING) - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007097 ** Bug watch added: Debian Bug tracker #1007097 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007097 ** Changed in: iwd (Ubuntu) Status: New => Incomplete ** Changed in: iwd (Ubuntu) Assignee: Lukas Märdian (slyon) => Sebastien Bacher (seb128) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971739 Title: [MIR] iwd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iwd/+bug/1971739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
