[MIR] libfreeaptx

Review for Package: libfreeaptx

[Summary]
libfreeaptx is a small library and is Open Source implementation of Audio Processing Technology codec (aptX)
derived from ffmpeg 4.0 project and licensed under LGPLv2.1+. This codec is mainly used in Bluetooth A2DP profile.
It provides dynamic linked shared library libfreeaptx.so and simple command line utilities for encoding and decoding operations.
libfreeaptx is based on version 0.2.0 of libopenaptx with the intent of continuing under a free license without the additional
license restriction added to libopenaptx 0.2.1.
Binary packages from source package :
libfreeaptx-dev: provides development files
freeaptx-utils: provides utilities for encoding and decoding (freeaptxenc, freeaptxdec)
libfreeaptx0: provides the shared library

MIR team ACK.

This does need a security review, so I'll assign ubuntu-security.

List of specific binary packages to be promoted to main: libfreeaptx0, freeaptx-utils, libfreeaptx-dev

Notes:
Recommended TODOs:
- The package should get a team bug subscriber before being promoted
- Although it is explained why there are no tests in the package and the team
  commits to manually test it, it would still be nice to have some tests either
  at build time or autopackage if possible (this is only recommended).

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
   - checked with check-mir
   - not listed in seeded-in-ubuntu
   - none of the (potentially auto-generated) dependencies (Depends
     and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does parse data formats

[Common blockers]
OK:
- does not FTBFS currently
- the package does not provide any tests at all. The subscribed team commits to manually
  test the package as described in bug description (section [Quality assurance - testing])
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is sporadic
- Debian/Ubuntu update history is sporadic
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massiv...

Ionna, thanks for the review, tests have been added now

https://launchpad.net/ubuntu/+source/libfreeaptx/0.1.1-1ubuntu1

and the desktop-packages team is subscribed

setting to high since it's needed for bluetooth to work out of the box with pipewire in kinetic

I reviewed libfreeaptx 0.1.1-1ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

libfreeaptx is an implementation of the audio processing technology (aptX) codec. It is a fork of the libopenatpx library (which is in universe) - the fork was done since the most recent version of libopenaptx (0.2.1) now has an incompatible license and so this is a fork of the 0.2.0 version with a real license.

- No CVE History
- No Build-Depends
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 2 binaries in PATH from freeaptx-utils binary package
  - -rwxr-xr-x root/root 14648 2022-05-20 22:53 ./usr/bin/freeaptxdec
  - -rwxr-xr-x root/root 14648 2022-05-20 22:53 ./usr/bin/freeaptxenc
  - utils to read / write raw 24-bit signed stereo samples from / to aptX via stdin/stdout
- No sudo fragments
- No polkit files
- No udev rules
- No unit tests
- 3 simple autopkgtests
  - build test compiles a very simple C program using libfreeaptx to check headers / pkg-config files are installed correctly
  - 2 other tests use freeaptxenc to encode a raw sample to aptX and then decode it again in both regular and HD
- No cron jobs
- Build logs are quite clean

- No processes spawned
- No dynamic memory management other than allocating a structure on the heap to store context for the session
  - Otherwise uses buffers provided by the caller and appears to be quite good at checking buffer lengths etc to not overflow them
- No file IO
- Logging is only done in CLI based enc/dec tools and is careful not to have potential format string vulnerabilities
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit

- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results

libfreeaptx looks like pretty decent code - it is small and doesn't do anything fancy with memory management and appears quite defensive in how it checks buffer lengths etc. The biggest issue I have with this package is the lack of unit tests for the code - so it will make it hard to verify that any future changes don't inadvertently break it. Lack of these is annoying but the upstream repo doesn't contain them either nor does libopenaptx either so this is not a blocker.

Security team ACK for promoting libfreeaptx to main.

Ready for the seed/dependency change to land

The pipewire update has been uploaded now

Override component to main
libfreeaptx 0.1.1-2 in kinetic: universe/misc -> main
freeaptx-utils 0.1.1-2 in kinetic amd64: universe/utils/optional/100% -> main
freeaptx-utils 0.1.1-2 in kinetic arm64: universe/utils/optional/100% -> main
freeaptx-utils 0.1.1-2 in kinetic armhf: universe/utils/optional/100% -> main
freeaptx-utils 0.1.1-2 in kinetic i386: universe/utils/optional/100% -> main
freeaptx-utils 0.1.1-2 in kinetic ppc64el: universe/utils/optional/100% -> main
freeaptx-utils 0.1.1-2 in kinetic riscv64: universe/utils/optional/100% -> main
freeaptx-utils 0.1.1-2 in kinetic s390x: universe/utils/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic amd64: universe/libdevel/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic arm64: universe/libdevel/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic armhf: universe/libdevel/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic i386: universe/libdevel/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic ppc64el: universe/libdevel/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic riscv64: universe/libdevel/optional/100% -> main
libfreeaptx-dev 0.1.1-2 in kinetic s390x: universe/libdevel/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic amd64: universe/libs/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic arm64: universe/libs/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic armhf: universe/libs/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic i386: universe/libs/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic ppc64el: universe/libs/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic riscv64: universe/libs/optional/100% -> main
libfreeaptx0 0.1.1-2 in kinetic s390x: universe/libs/optional/100% -> main
22 publications overridden.