[needs-packaging] ubuntuone-credentials

*** This is an automated message ***

This bug is tagged needs-packaging which identifies it as a request for a new package in Ubuntu. As a part of the managing needs-packaging bug reports specification, https://wiki.ubuntu.com/QATeam/Specs/NeedsPackagingBugs, all needs-packaging bug reports have Wishlist importance. Subsequently, I'm setting this bug's status to Wishlist.

A few things I was able to fix on the fly, but the following bits might be worth looking into. The rest looks good to me.

W: libubuntuoneauthui-2.0-0: shared-lib-without-dependency-information usr/lib/x86_64-linux-gnu/libubuntuoneauthui-2.0.so.0.1.0
N:
N: The listed shared library doesn't include information about which other
N: libraries the library was linked against. (When running "ldd foo.so" ldd
N: should report about these other libraries. In your case, ldd just
N: reports "statically linked".)
N:
N: To fix this, you should explicitly specify the libraries which are used
N: (e.g., "-lc") when building the shared library with "ld".

I: libubuntuoneauthui-2.0-0: no-symbols-control-file usr/lib/x86_64-linux-gnu/libubuntuoneauthui-2.0.so.0.1.0
N:
N: Although the package includes a shared library, the package does not
N: have a symbols control file.
N:
N: dpkg can use symbols files in order to generate more accurate library
N: dependencies for applications, based on the symbols from the library
N: that are actually used by the application.
N:
N: Refer to the dpkg-gensymbols(1) manual page and
N: http://wiki.debian.org/UsingSymbolsFiles for details.

I've replaced the dsc and debian.tar.gz with updated versions, included the recommended changes. I have not seen the "shared-lib-without-dependency-information" warning in any of my test builds. I've added the symbols files, and updated the changelog and removed the extraneous Section: libs declarations from the control file, though.

I've replace the dsc and debian.tar.gz with updated versions again. This time, I've pulled the libubuntuoneauthui packages, as the library currently has no symbols, so results in the lintian error on saucy, due to -Wl,--as-needed being the default. I've also included a backported patch from upstream trunk to limit the symbols being exported, and added the symbols file.

Uploaded. Should be sitting in the NEW queue (https://launchpad.net/ubuntu/saucy/+queue) in a bit.

I reviewed ubuntuone-credentials 13.08-0ubuntu1 from the NEW queue for
saucy. This should not be considered a full security audit, but rather a
quick gauge of maintainability.

- ubuntuone-credentials provides an interface for native and QML
  applications to use and manage Ubuntu One credentials
- Build-deps include liboauth, libaccounts-qt5, libsignon-qt5, qtbase5,
  qtdeclarative5, qtdeclarative5-ubuntu-ui-toolkid-plugin, signon-plugins,
  and xvfb (presumably for testing)
- Relies upon Qt to provide networking and SSL/TLS of connections
- Relies upon liboauth for authentication tokens, signing, etc.
- Does not daemonize
- Does not listen on the network
- No initscripts
- No D-Bus services
- No setuid
- No binaries in *bin/
- No sudo fragments
- No cronjobs
- Clean build logs
- Good test suite, runs during build
  - Unclear if error messages are expected
- No subprocesses spawned
- Memory management is slightly leaky but nothing that should pose a
  reliability or safety issue, all are intended to be long-lived objects
  with currently no mechanism to "un-use" the objects.
- Files opened are for logging, using high-level Qt abstractions
- Paths to files are determined by Qt helper routines and environment
  variables
- Logging operations look safe
- Environment handling looks safe
- No privileged portions of code
- Certificate validation handled by Qt, no listeners are installed to
  ignore SSL/TLS errors.
  - But also looks like "pinning" certificates in the future would be
    difficult
- Network traffic is parsed with Qt json parsing code, only explicit
  fields are retrieved
  - But I'm unsure how invalid json documents affect code execution
- Does not directly use WebKit, though Qml does
- Even though hardening-check reports problems, I believe they are false
  positives -- -D_FORTIFY_SOURCE=2 appears everywhere, and the stack check
  problem may be because there are no protectable on-stack arrays in the
  libubuntuoneplugin library.

Two notes that I hope are useful:

AuthLogger::stopLogging() race condition may delete an in-use logger in
another thread. If multi-threaded use is possible, this module likely
needs some additional work.

music-login/main.cpp main() forgets to close stylesheet file.

I have two questions:

1: Why does Keyring::deleteToken() only delete one account?

2. How will the code respond to json documents that don't have all
specified fields? Will applications that make use of this package expect
the data to have any particular formatting or contents that should be
enforced?

Security team ACK for including in ubuntu-touch images. Please consult
with the security team again in the future when this package is intended
to move to main.