Review for Source Package: rust-sequoia-sqv [Summary] This is a well-packaged Rust binary (sqv) that serves as a single-purpose OpenPGP signature verification tool, intended to replace gpgv as APT's signature verification backend. The package follows standard Rust vendoring practices, has a reasonable Ubuntu delta, and has no significant packaging or upstream concerns, but does require a security review given its cryptographic nature. This does need a security review due to the cryptography and signature verification functionality - I’ll assign Ubuntu Security List of specific binary packages to be promoted to main: sqv Specific binary packages built, but NOT to be promoted to main: sqv-dbgsym (auto-generated, goes to ddebs.ubuntu.com)
Notes: Recommended TODOs: - The package should get a team bug subscriber before being promoted - Please subscribe Ubuntu Foundations before promotion [Rationale, Duplication and Ownership] - There is an existing package in main providing similar functionality: gpgv (GnuPG). However, sqv is intended as a replacement for gpgv as APT's signature verification backend, aligning with the broader ecosystem direction (Sequoia is becoming the standard OpenPGP implementation in RHEL and Debian). This is not unintentional duplication but a planned transition. - A team is committed to own long term maintenance of this package - Ubuntu Foundations, not yet subscribed The rationale given in the report seems valid and useful for Ubuntu [Dependencies] OK: - no other runtime Dependencies to MIR due to this - no other build-time Dependencies with active code in the final binaries to MIR due to this - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries OK: - not a go package, no extra constraints to consider in that regard - vendoring is used, but the reasoning is sufficiently explained - Rust package that has all dependencies vendored. It does neither have *Built-Using (after build). Nor does the build log indicate built-in sources that are missed to be reported as Built-Using. - rust package using dh_cargo (dh ... --buildsystem cargo) - Includes vendored code, the package has documented how to refresh this code at d/README.source (in proposed merge) Problems: None [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does parse data formats (OpenPGP signatures, certificates, keyrings) from potentially untrusted sources, but is written in a memory-safe language (Rust) and uses the well-maintained sequoia-openpgp library - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does deal with security attestation (signature verification) - does deal with cryptography (OpenPGP signature verification, certificate validation, cryptographic policy enforcement) - written in a memory-safe language (Rust), runs unprivileged as a stateless single-invocation CLI tool. Problems: None, but this does need a security review given it deals with cryptography and signature verification. Assigning ubuntu-security. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - This does not need special HW for build or test - does not have a non-trivial test suite that runs as autopkgtest. The MIR requester notes that with vendored dependencies autopkgtests are of limited value, and that APT's own test suite extensively exercises the sqv code path. This is a reasonable justification given sqv is only used as a backend for APT signature verification. - This does not need special HW for build or test - no new python2 dependency Problems: None [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - debian/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean for a rust package - It is not on the lto-disabled list Problems: None [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (the language has no direct MM) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case Problems: None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2089690 Title: [MIR] rust-sequoia-sqv To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
