[MIR] dracut
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dracut (Ubuntu) |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package dracut is already in Ubuntu universe.
The package dracut build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https:/
[Rationale]
The package dracut is required in Ubuntu main for dracut-install being used by initramfs-tools (bug #2031185).
The C binary dracut-install covers the same use case as the shell code in initramfs-tools to install kernel modules and files, but is much faster and allows finer filtering the kernel modules.
To my knowledge there are only initramfs-tools (main) and dracut (universe) in the archive that cover the use case. initramfs-tools is Debian-specific and dracut tries to be a distro-agnostic solution.
dracut-core is already used by Ubuntu Core: https:/
The package dracut is required in Ubuntu main the feature freezy next Thursday to land the change in bug #2031185.
[Security]
- Had 5 security issues in the past
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
- no `suid` or `sgid` binaries
- Package does install services, timers or recurring jobs (used by initrd.target.wants or sysinit.
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- /lib/systemd/
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/
not have too many, long-term & critical, open bugs
- Ubuntu https:/
- Debian https:/
- Upstream's bug tracker: https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream test suite starts several virtual machines (needing time and memory). The test suite need a kernel, but the linux kernel is only readable by root (see bug #759725)
- The package runs an autopkgtest, and is currently passing on
amd64: https:/
- I am working on fixing the new autopkgtests on the other architectures (see bug #2031417).
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules: https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main except for pigz that we should drop/demote
[Standards compliance]
- This package violates FHS or Debian Policy:
- Installs into /usr/lib instead of /usr/libexec but that is what upstream and other distribution (e.g. Fedora) do
[Maintenance/Owner]
- Owning Team will be Foundations team
- Foundations Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This does not use vendored code
- This package is not rust based (but that might change in the future)
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is dracut
Link to upstream project: https:/
Changed in dracut (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
description: | updated |
description: | updated |
Changed in dracut (Ubuntu): | |
assignee: | Benjamin Drung (bdrung) → nobody |
status: | Incomplete → New |
Review for Source Package: dracut
[Summary]
MIR team ACK under the complex constraints listed below.
This does need a security review, or not, well ....
It really depends on the scope - the current requested scope is just
'dracut-install' which would be fine if fully separated.
Otherwise (read if later anyone wants to use more of dracut) it would need
security review as outlined in the security section below.
List of specific binary packages to be promoted to main: (?dracut-install?)
Specific binary packages built, but NOT to be promoted to main: all others
Required TODOs: lib/dracut/ dracut- install into a 'dracut-install' binary package.
#1 - I mentioned above this would need security review and much more if
staying as-is.
I'm really just looking for a good compromise for you, tell me if you
strongly dislike this :-)
And I'm afraid that even just functionally no one had time yet to deeply
test all the potential interactions with the many Ubuntu packages this
could interact and depends on.
I wanted to ask you what you would think of breaking out
/usr/
Make it a depends from dracut-cure to not break the former use-case in
universe.
With that in place I think we could agree on promoting just dracut-install
to main without the full security-review needed now.
To use more of dracut you can then take your time in further cycles.
Update: but-ok- to-happen- later elements
- bdrung and I talked, we will separate dracut-install to pass for now.
- but we will enqueue it into security-review as well as having a look
at all the "later TODOs" plus evaluating dracut for Ubuntu in general.
- Overall that decouples the current urgent needs from the
good-
Recommended TODOs:
#2 - The package should get a team bug subscriber before being promoted
Later TODOs:
This MIR is a special case as I'm reviewing with urgency and a very reduced
use-case in mind. But passing along I've found a few things which should be
looked at once we'd wan't to use more of dracut.
Most of this is "recommended" todo, but should be looked at.
#3 - for now it makes the process and build easier to not use dracut-cpio /github. com/dracutdevs/ dracut/ commit/ 51d21c6b37 /github. com/dracutdevs/ dracut/ commit/ afe4a6dbb7
but since this is done for speed (which here we really talk about two
boot-time and initramfs update time) it might be worth to experiment and
look at the difference that this might give us.
https:/
https:/
This would be part of "we look at the whole thing" efforts as
we can't be sure yet if it really helps our case.
#4 - Since this generally and especially once introduced for more use case
than just dracut-install will surely hit some edge cases and break
I think this might be a case to have a look at translations.
#5 - resolve netplan interaction in bug 2019940
#6 - please demote pigz to a suggests (or even better consider to add it to main
as the rationale behind this is speed and this should make creation
a bit faster as well)
This is not needed for just dracut-install if split out.
[Duplication]
The only other package in main providing similar...