[MIR] spl-linux
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| spl-linux (Ubuntu) |
Won't Fix
|
High
|
Unassigned | ||
Bug Description
SPL MIR
[ See also ZFS MIR, bug #1532198 ]
Following the process documented at https:/
Below are my answers to the various main inclusion requirements, marked by a * prefix:
[Availability]:
"The package must already be in the Ubuntu universe, and must
build for the architectures it is designed to work on."
* http://
* Yes - built for 64 bit arches only, because ZFS (and hence SPL) is
designed to run well only on 64 bit architectures.
[Rationale]:
"There must be a certain level of demand for the package, for example:
The package is useful for a large part of our user base."
* Yes - there is a lot of interest in ZFS in the server space and for
users wanting to use a file system that supports huge collections of
disks with excellent reliable features such as checksummed raid, mirroring
striping with easy configuration and also simple data sanity checking and
fixing.
* Being requested by Kiko
"The package is a new build dependency or dependency of a package that we
already support (additionally, the official image builder requires all
used packages be in main)."
* Yes, already in Wily as a technology demo.
"The package helps meet a specific Blueprint goal."
* No blueprint goal.
"The package replaces another package we currently support and promises
higher quality and/or better features, so that we can drop the old
package from the supported set."
* Not applicable
[Security]:
"The security history and the current state of security issues in
the package must allow us to support the package for at least 18 months
without exposing its users to an inappropriate level of security risks.
This requires checking of several things that are explained in detail in
the subsection Security checks."
"Check how many vulnerabilities the package had in the past and how they
were handled by upstream and the Debian/Ubuntu package:"
"http://
Database using the package as a keyword"
NO SPL (ZFS) CVEs found.
"http://
* No security advisories found
Ubuntu CVE Tracker:
http://
* No
http://
* No
http://
* No
"Check for security relevant binaries. If any are present, this
requires a more in-depth security review."
"Executables which have the suid or sgid bit set."
* Not applicable
"Executables in /sbin, /usr/sbin."
* Applicable. This requires security review
/
"Packages which install daemons (/etc/init.d/*)"
* Applicable. This requires security review
"Packages which open privileged ports (ports < 1024)."
* Not applicable
"Add-ons and plugins to security-sensitive software (filters,
scanners, UI skins, etc)"
* Not applicable
[Quality assurance]
"After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading."
* Will work "out-of-the-box" once zfsutils-linux installed with 4.4 kernel
* Quick start ZFS reference guide written:
https:/
* Package does contains man pages for splat
"The package must not ask debconf questions higher than medium if it is
going to be installed by default. The debconf questions must have
reasonable defaults."
* Does not apply.
"There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package."
* We have good upstream support from ZFS maintainers, response to bugs
file upstream is within 24-48 hours
"The status of important bugs in Debian's, Ubuntu's, and upstream's bug
tracking systems must be evaluated. Links to these bug trackers need to
be provided in the MIR report. Important bugs must be pointed out and
discussed in the MIR report."
Upsteam bug tracking:
ZFS - https:/
SPL - https:/
Ubuntu bug tracking:
https:/
"The package is maintained well in Debian/Ubuntu (check out the Debian PTS)"
Maintained by Kernel team in sync with kernel
Testing: We have several sets of ZFS specific regression tests in the
kernel team autotest test infrastructure:
* The ZFS test suite:
http://
* fstest (Linux POSIX file system test suite)
http://
* ZFS I/O stress tests:
http://
* XFS generic tests on ZFS:
http://
* ZFS Kernel smoke tests
http://
[Dependencies]:
All build and binary dependencies (including Recommends:) must be
satisfyable in main (i. e. the preferred alternative must be in main).
If not, these dependencies need a separate MIR report (this can be a
separate bug or another task on the main MIR bug)
spl:
* autotools-dev - Yes
* autoconf - Yes
* autogen - Yes
* automake - Yes
* debhelper - Yes
* dh-autoreconf - Yes
* dkms - Yes
* libtool - Yes
* libc-dev - Yes
[Standards compliance]
"Standards compliance: The package should meet the FHS and Debian Policy
standards. Major violations should be documented and justified. Also, the
source packaging should be reasonably easy to understand and maintain."
Yes, I believe so.
[Maintenance]
"The package must have an acceptable level of maintenance
corresponding to its complexity:
Simple packages (e.g. language bindings, simple Perl modules, small
command-line programs, etc.) might not need very much maintenance effort,
and if they are maintained well in Debian we can just keep them synced
More complex packages will usually need a developer or team of
developers paying attention to their bugs, whether that be in Ubuntu or
elsewhere (often Debian). Packages that deliver major new headline
features in Ubuntu need to have commitment from Ubuntu developers
willing to spend substantial time on them."
* Falls into the complex package category. Colin King will primarily
maintain this package, with ownership owned and covered by the
Canonical Kernel Team.
"All packages must have a designated "owning" team, regardless of
complexity, which is set as a package bug contact."
* Yes, Canononical Kernel Team
https:/
[Background information]
"The package descriptions should explain the general purpose and context
of the package. Additional explanations/
in the MIR report."
* Yes, package description covers the scope of the package
"If the package was renamed recently, or has a different upstream name,
this needs to be explained in the MIR report."
| Changed in spl-linux (Ubuntu): | |
| assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in spl-linux (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Michael Terry (mterry) wrote | #2 |
| Changed in spl-linux (Ubuntu): | |
| status: | New → Incomplete |
| Changed in spl-linux (Ubuntu): | |
| importance: | Undecided → High |
| Richard Laager (rlaager) wrote | #3 |
| Michael Terry (mterry) wrote | #4 |
| Colin Ian King (colin-king) wrote | #5 |
| Colin Ian King (colin-king) wrote | #6 |
| Launchpad Janitor (janitor) wrote | #7 |
| Changed in spl-linux (Ubuntu): | |
| status: | Incomplete → Expired |
| Changed in spl-linux (Ubuntu): | |
| status: | Expired → In Progress |
| Michael Terry (mterry) wrote | #8 |
| Steve Langasek (vorlon) wrote | #9 |
| Changed in spl-linux (Ubuntu): | |
| status: | In Progress → Won't Fix |
I reviewed spl-linux version 0.6.5.4-0ubuntu2 as checked into xenial; this shouldn't be considered a full security audit, in fact it was fairly quick as I've read much of this code over the years out of curiosity and interest.
The SPL layer has an awkward job to do but does it well, and provides in-kernel testing framework, which is all too rare.
Security team ACK for promoting spl-linux to main.
Thanks