Re-review of package: localsearch
[Summary]
The existing tracker-miners package in main has been renamed to localsearch by
the upstream project. The localsearch package is deeply integrated into GNOME's
nautilus. It automatically crawls and indexes a user's documents, images,
videos and other file types, to extract and store useful metadata which is
consumed by nautilus. The upstream localsearch project is being actively
developed and maintained.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: tracker-extract
Specific binary packages built, but NOT to be promoted to main: None
Notes:
- Binary package tracker-extract "provides" localsearch
- This package has undergone MIR review twice in the past (LP: #1770877 and
#1313996). So, this is effectively a re-review.
- Needs security review related to some issues documented in the [Security]
section.
Required TODOs:
- None, this is a MIR re-review, so we won't add blocking TODOs.
Recommended TODOs:
- The package should get a team bug subscriber before being promoted.
- The package FTBFS in a local plucky-amd64 chroot as noted in [Common
blockers] due to a failing build-time test. This should be investigated.
- Investigate/fix build warnings reported on a passing build as noted in
[Upstream red flags].
- As also noted by the reporter, the debian/copyright file needs a lintian
cleanup.
[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu
=> This is a MIR re-review, so let's skip/ignore the rationale. It's already
in main.
[Dependencies]
OK:
- No other dependencies to MIR due to this
- SRCPKG checked with `check-mir` => tinysparql already in main (LP: #2099086)
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in mainNo
-dev/-debug/-doc packages that need exclusion
No dependencies in main that are only superficially tested requiring more tests
now.
Problems: None
[Embedded Sources and Static Linking]
OK:
- no embedded source present => subprojects/tinysparql-3.0.wrap is unused (LP:
#2099086)
- no static linked
- no Built-Using
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- does not run a daemon as root => but
/usr/lib/systemd/user/localsearch-3.service on the session/user bus
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar) => but
AF_LOCAL socket_fd for peer-to-peer communication
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features, apparmor, ...)
=> uses seccomp, landlock
Problems:
- CVE-2023-5557 reported - but Security deemed this as a hardening issue
- CVE history: has been used to leverage other vulnerabilities as per past
review
- tracker-miner installs systemd and dbus services
- tracker-miner is autostart-enabled
- history of CVEs does not look concerning
- direct https://ubuntu.com/security/CVE-2023-5557
- indirect https://ubuntu.com/security/CVE-2023-43641
- does parse data formats (files [images, video, audio,xml, json, asn.1],
network packets, structures, ...) from an untrusted source => localsearch
parses user documents, images, videos and files to gather useful file-metadata.
[Common blockers]
OK:
- does not FTBFS currently => builds in a PPA with -proposed enabled
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- some build-time tests do not pass with security hardening - landlock,
seccomp
Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- FTBFS in local plucky chroot => a build-time test fails consistently
=> 9/92 localsearch:miner-fs+slow / miner-monitor FAIL 0.13s killed by
signal 5 SIGTRAP
[Packaging red-flags]
OK:
- Ubuntu does not carry a delta
- The package has no .symbol file. It uses a shlibs.local file to maintain the
inter-package dependencies. This was brought up during the previous MIR review
and the justification provided is that tracker-extract is a private library. It
seems to have been consciously excluded from dh_makeshlibs, to avoid the
ldconfig trigger.
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is very recent (2 days old as of the date of this
review), the previous release was packaged
- promoting this does not seem to cause issues for MOTUs that so far maintained
the package
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- lintian warnings/suggestions:
The reporter has already addressed the different lintian warnings. There
are valid, outstanding warnings related to the content in debian/copyright. For
example :
W: tracker-miners source: superfluous-file-pattern
src/libtracker-miners-common/tracker-date-time.c [debian/copyright:124]
[Upstream red-flags]
OK:
- no Errors during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
=> LD_LIBRARY_PATH is used in utils/trackertestutils/__main__.py:123-124 - Use
of
- no use of user nobody
- no use of setuid / setgid
- no dependency on webkit, qtwebkit or libseed
- part of the UI, desktop file is ok
- translation present
Problems:
- Incautious use of malloc
src/tracker-extract/tracker-extract-png.c:155
- Found ~60 open crash bug-reports in Ubuntu
- warnings during build:
Configuring org.freedesktop.LocalSearch3.service using configuration
meson: WARNING: The variable(s) 'DOMAIN_ONTOLOGY_OPTIONS',
'MINER_FILES_INITIAL_SLEEP', 'TEST_CLI_SUBCOMMANDS_DIR' in the input file are
not present in the given configuration data.
../../meson.build:532: WARNING: Seccomp sandboxing is disabled.
../../meson.build:536: WARNING: Landlock sandboxing is disabled.
../../meson.build:541: WARNING: Run at your own risk. Distribution is
discouraged.
WARNING: Project specifies a minimum meson_version '>=0.51' but uses features
which were added in newer versions:
* 0.56.0: {'meson.project_source_root'}
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43641
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5557
** Changed in: tracker-miners (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099160
Title:
[MIR] localsearch
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tracker-miners/+bug/2099160/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
