[MIR] libfastjson

MIR looks good in general, but it *is* a JSON parser, and could potentially deal with untrusted data. Looking at the code quickly, it's pretty complicated, so it doesn't sound unlikely that there'd be some potential issues there.

I agree that in this case it's for syslog, but it's still important that we consider any future uses when the package is in main.

Let's get the Security Team's opinion on this.

The tarball appears to have different contents than the git tree:

- The README.md file is missing entirely

What's left over isn't ideal:

- The README.html file still claims to be json-c
- The README is entirely blank

I'm not excited that the files in our package are still claiming to be
json-c, a completely different source package, nor do they accurately
reflect the contents of the git tree.

The README.md claims:

> IMPORTANT The current API is not stable and will change until version
> 1.0.0 is reached. We plan to reach it by summer 2016 at latest. With
> 1.0.0, the API will be stable. Until then, everything may change. Of
> course, we will not deliberatly break things but we need freedom to
> restructure.

I'm worried that we're about to start a five year support release and
include a new-to-us library that is apparently not stabilized. I don't
know if we should be comforted by the fact that it's had no development
work for five months or worried that it's had no development for five
months.

It feels like no one's closely inspected this package yet.

I realize it's really late in the cycle to ask the question, but should
rsyslog and dependencies be moved to universe? We recently enabled the
systemd persistent journal, and we at one point intended to use the
systemd-journal-remote package: 1488341.

I'll give the rest of the code in this package a fair shot, but I wanted
to raise the possibility of a different path entirely just for
completeness.

Thanks

another possibility would be the inclusion of the fastjson sources in the rsyslog source package, not exposing the library to other packages. But that would be a permanent Ubuntu delta.

I reviewed libfastjson version 0.99.8-2 as checked into bionic. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- libfastjson is similar to json-c but stripped down to meet the needs of
  rsyslog.
- Our database doesn't have any CVEs for libfastjson; there are two CVEs
  for json-c.

- Build-Depends: debhelper, pkg-config
- Does not daemonize
- No pre/post inst/rm scripts
- No init scripts
- No systemd unit files
- No dbus services
- No setuid files
- No binaries in bin
- No sudo fragments
- No udev rules
- There's a decent-size test suite run during the build
- No cron jobs
- Clean build logs

- No subprocesses spawned
- Memory management looked careful
- Files opened by command of clients
- Logging looked careful
- No environment variables
- No privileged operations
- No cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKIt
- Clean cppcheck

This looks like a well-written library, good comments throughout, good
error-checking. I really like doko's suggestion that this be bundled into
the rsyslog package but that feels like an unreasonable delta for Ubuntu
to carry from Debian.

Thanks

I forgot the conclusion:

Security team ACK for promoting libfastjson to main.

Thanks

RE: rsyslog / journald-remote-logging

At the moment I still feel that we should be forwarding to rsyslog, and support native rsyslog / remote rsyslog.

My actual thought is to move to rsyslog-ng in the future, and use a journald plugin of thereof, which can reliable pull-in journald logs, instead of journald continiously pushing them into rsyslog.

Alas that has not been done, and rsyslog-ng is even bigger beast.

Also note that systemd-journal-remote, and rsyslog-ng are both in universe.

MIR approved.

Override component to main
libfastjson 0.99.8-2 in bionic: universe/misc -> main
libfastjson-dev 0.99.8-2 in bionic amd64: universe/libdevel/optional/100% -> main
libfastjson-dev 0.99.8-2 in bionic arm64: universe/libdevel/optional/100% -> main
libfastjson-dev 0.99.8-2 in bionic armhf: universe/libdevel/optional/100% -> main
libfastjson-dev 0.99.8-2 in bionic i386: universe/libdevel/optional/100% -> main
libfastjson-dev 0.99.8-2 in bionic ppc64el: universe/libdevel/optional/100% -> main
libfastjson-dev 0.99.8-2 in bionic s390x: universe/libdevel/optional/100% -> main
libfastjson4 0.99.8-2 in bionic amd64: universe/libs/optional/100% -> main
libfastjson4 0.99.8-2 in bionic arm64: universe/libs/optional/100% -> main
libfastjson4 0.99.8-2 in bionic armhf: universe/libs/optional/100% -> main
libfastjson4 0.99.8-2 in bionic i386: universe/libs/optional/100% -> main
libfastjson4 0.99.8-2 in bionic ppc64el: universe/libs/optional/100% -> main
libfastjson4 0.99.8-2 in bionic s390x: universe/libs/optional/100% -> main
Override [y|N]? y
13 publications overridden.