MIR reviewer’s template¶
This section is a guideline for the reviewer as they review an MIR bug. The intent is to answer the primary question:
Will this package be well maintained in main?
Usage follows How to use MIR templates.
By default, statements are in the OK section.
Issues to be addressed should go to the Problem: sections (and briefly the [Summary] at the top of the template).
1RULE: Since we sometimes have many such posts on one bug, in case multiple
2RULE: packages are associated, clearly state which one this is for.
3TODO: Review for Source Package: TBDSRC
4
5[Summary]
6TODO: WRITE - TBD The essence of the review result from the MIR POV
7TODO-A: MIR team ACK
8TODO-B: MIR team NACK
9TODO-C: MIR team ACK under the constraint to resolve the below listed
10TODO-C: required TODOs and as much as possible having a look at the
11TODO-C: recommended TODOs.
12TODO-A: This does need a security review, so I'll assign ubuntu-security
13TODO-B: This does not need a security review
14TODO: List of specific binary packages to be promoted to main: TBD
15TODO: Specific binary packages built, but NOT to be promoted to main: TBD
16
17Notes:
18TODO: - add todos, issues or special cases to discuss
19Required TODOs:
20TODO: - TBD (Please add them numbered for later reference)
21Recommended TODOs:
22RULE: - Does it have a team bug subscriber? (This is not a blocker for a MIR
23RULE: team ACK, but needs to be provided before the package can be promoted
24RULE: by an AA)
25TODO: - The package should get a team bug subscriber before being promoted
26TODO: - TBD (Please add them numbered for later reference)
27
28[Rationale, Duplication and Ownership]
29RULE: One easy way to avoid the burden of maintaining the package is to not
30RULE: use it in the first place! If a package is pulling in some random jpeg
31RULE: parsing library that needs a MIR, maybe it makes more sense to patch the
32RULE: package to just use libjpeg instead. Keep an eye out for duplicated
33RULE: functionality in main, since that makes bug fixing and security
34RULE: reviewing that much harder.
35RULE: Duplicates can be found by searching packages in "main", e.g. using:
36RULE: $ apt list "?not(?section(/))" | grep <SEARCH_TERM>
37RULE: and/or by checking for alternatives on https://www.libhunt.com/ or
38RULE: similar databases.
39RULE: Sometimes duplicates are not too obvious, but can often be found by
40RULE: searching through full descriptions, provides and all that. If the above
41RULE: check didn't already find a duplicate then this check can be done via the
42RULE: following steps:
43RULE: $ apt-cache search <SEARCH_TERM>
44RULE: In the returned list pick anything that looks suspicious by name or
45RULE: description and check if any of them is in main:
46RULE: $ rmadison -c main {all,packages,that,look,like,duplicates}
47RULE: If any of them are reported to be in main check in detail if they cover
48RULE: indeed the same use case as the package this MIR is about.
49TODO: There is no other package in main providing the same functionality.
50RULE: No matter how useful a rationale is and how unique a package might be
51RULE: it will need an owning team that is willing and able to spend the time
52RULE: to maintain it well for the benefit of all Ubuntu users and use cases.
53RULE: If someone submitted an MIR on behalf of another team and suggested them
54RULE: to own it, we expect someone representing that to be owning team to
55RULE: comment on the bug and acknowledge that they are ok to own that package
56RULE: (to avoid review and process effort being spent only to then
57RULE: immediately be cancelled by a lack of ownership).
58TODO: A team is committed to own long term maintenance of this package.
59RULE: In the template to submit cases we ask the reporter to state a rationale
60RULE: why this should be considered. But a MIR team member needs to
61RULE: try to judge if this rationale is good for Ubuntu and its users.
62RULE: We've also seen requests that thought they need to be in main, but that
63RULE: was based on wrong assumptions, ensure the requester understands what and
64RULE: why they request a main inclusion when judging if the rationale is valid.
65TODO: The rationale given in the report seems valid and useful for Ubuntu
66RULE: If any of the above checks in this section the MIR team can decide to
67RULE: skip the rest of the check until these basic questions are resolved.
68
69[Dependencies]
70RULE: Long ago also build dependencies needed to be in main, but since 14.04
71RULE: that no more is the case. Therefore if checking in the build logs do not
72RULE: rely on sections like "Install main build dependencies (apt-based
73RULE: resolver)". Similarly some of the tools shown below are capable of
74RULE: checking both, build and runtime dependencies. Only runtime dependencies
75RULE: matter.
76RULE: This got further complex with languages like rust that embed their code
77RULE: into static builds by default - there as you can read in the respective
78RULE: section build dependencies matter just like runtime dependencies.
79OK:
80TODO: - no other Dependencies to MIR due to this
81TODO: - SRCPKG checked with `check-mir`
82TODO: - all dependencies can be found in `seeded-in-ubuntu` (already in main)
83TODO: - none of the (potentially auto-generated) dependencies (Depends
84TODO: and Recommends) that are present after build are not in main
85TODO: - no -dev/-debug/-doc packages that need exclusion
86TODO: - No dependencies in main that are only superficially tested requiring
87TODO: more tests now.
88
89TODO-A: Problems:
90TODO-A: - TBD
91TODO-B: Problems: None
92
93[Embedded sources and static linking]
94RULE: - Embedding a library source increases the maintenance burden of a package
95RULE: since that source needs to be maintained separately from the source in
96RULE: the Ubuntu archive. If a source embeds another package, in general the
97RULE: embedded package should not be used and the packaging should be modified
98RULE: to use the Ubuntu archive version. When this is not possible, the
99RULE: security team must agree to using the embedded source.
100RULE: - Similarly, when a binary from one source package statically links to
101RULE: libraries from another source package from the archive, when those
102RULE: libraries are updated the statically linked binaries must be rebuilt
103RULE: with the updated libraries to receive the fix, which increases the
104RULE: maintenance burden. For this reason, static linking in archive builds
105RULE: is discouraged unless static linking is required for the package in
106RULE: question to function correctly (e.g. an integrity scanner).
107RULE: - If debian/control uses `Built-Using` or `Static-Built-Using:` it may
108RULE: indicate static linking
109RULE: which should be discouraged (except golang/rust, see below)
110RULE: - Rust - toolchain and dh tools are still changing a lot. Currently it
111RULE: is expected to only list the rust toolchain in `Built-Using`.
112RULE: the remaining (currently vendored) dependencies shall be tracked
113RULE: in a Cargo.lock file
114RULE: - Go - here `Built-Using` is expected to only contain the go
115RULE: toolchain used to build it. Additional packaged dependencies
116RULE: will be tracked in `Static-Built-Using:` automatically.
117RULE: The superset of packaged and vendored (if used) dependencies shall be
118RULE: tracked in a go.sum file (go.mod are direct dependencies, go.sum
119RULE: covers checksum content for direct and indirect dependencies. This
120RULE: should be present for reproducible builds already which involve
121RULE: having a go.sum.
122RULE: We have let go packages into main before this existed, so we have
123RULE: sub-optimal prior-art. But down the road - if vendoring is used - we
124RULE: want to switch to require that once the toolchain is ready to
125RULE: create it accordingly.
126
127OK:
128TODO: - no embedded source present
129TODO: - no static linking
130TODO: - does not have unexpected Built-Using entries
131
132RULE: Golang
133RULE: - golang 1.4 packages and earlier could only statically compile their
134RULE: binaries. golang 1.5 in Ubuntu 16.10 introduced `-buildmode=shared`
135RULE: to build shared libraries and `-linkshared` to dynamically link against
136RULE: shared libraries. In general, statically compiled binaries are not
137RULE: suitable for the Ubuntu archive because they increase the maintenance
138RULE: burden significantly. As such, from Ubuntu 16.10 and later, golang
139RULE: packages in main were expected to be built with shared
140RULE: libraries.
141RULE: - Evaluating cost/benefits while considering the ABI instability of golang
142RULE: libraries during this period, the MIR team decided for 17.10 and later
143RULE: to allow static builds of golang packages in main, so long as the number
144RULE: of these packages remains low and they follow the guidelines below:
145RULE: - golang applications in main are expected:
146RULE: 1. to build using `golang-*-dev` packages from the Ubuntu archive
147RULE: creating `Built-Using` in debian/control. This requirement ensures
148RULE: that the security team is able to track security issues for all
149RULE: affected static binary packages
150RULE: 2. not to build any vendored (i.e. embedded) code in the source
151RULE: package whose binaries appear in the archive (e.g. test code is
152RULE: ok) without clear justification from the requesting team and
153RULE: approval from the security team. This requirement ensures that
154RULE: the security team is able to track security issues for all
155RULE: affected source packages.
156RULE: 3. only build against approved vendored sources (when applicable).
157RULE: If new versions add new components or dependencies in subsequent
158RULE: Ubuntu uploads this will need re-evaluation by the security
159RULE: team. This requirement ensures that the security team is able
160RULE: to track security issues for all affected source packages.
161RULE: - The intended outcomes from the above requirements (if not vendored) are
162RULE: for packages in main to standardize on particular versions of
163RULE: `golang-*-dev` packages (when possible) with the requesting team
164RULE: adjusting their packaging as necessary, all teams responsible for
165RULE: golang packages coordinating on transitions and the requesting team
166RULE: occasionally creating new `golang-*-dev` packages as agreed to in the
167RULE: MIR bug (upstreaming to Debian whenever possible).
168RULE: - As a practical matter, golang/rust source packages in main are not
169RULE: required to remove unused embedded code copies.
170RULE: - If based on the above options it's a statically compiled golang package:
171RULE: - Does the package use dh-golang (if not, suggest dh-make-golang to
172RULE: create the package)?
173RULE: - Does debian/control use `Built-Using: ${misc:Built-Using}` for each
174RULE: non'-dev' binary package (importantly, golang-*-dev packages only
175RULE: ship source files so don't need Built-Using)?
176RULE: - Does the package follow Debian Go packaging guidelines?
177RULE: (See: https://go-team.pages.debian.net/packaging.html)
178RULE: - When it is infeasible to comply with this policy, the justification,
179RULE: discussion and approval should all be clearly represented in the bug.
180
181OK:
182TODO-A: - not a go package, no extra constraints to consider in that regard
183TODO-B: - Go Package that follows the Debian Go packaging guidelines
184
185TODO-A: - vendoring is used, but the reasoning is sufficiently explained
186TODO-B: - No vendoring used, all Built-Using are in main
187
188TODO-A: - golang: shared builds
189TODO-B: - golang: static builds are used, the team confirmed their commitment
190TODO-B: to the additional responsibilities implied by static builds.
191
192TODO-A: - not a rust package, no extra constraints to consider in that regard
193TODO-B: - Rust package that has all dependencies vendored. It does neither
194TODO-B: have *Built-Using (after build). Nor does the build log indicate
195TODO-B: built-in sources that are missed to be reported as Built-Using.
196
197TODO: - rust package using dh_cargo (dh ... --buildsystem cargo)
198
199TODO-A: - Includes vendored code, the package has documented how to refresh this
200TODO-A: code at <TBD>
201TODO-B: - Does not include vendored code
202
203TODO-A: Problems:
204TODO-A: - TBD
205TODO-B: Problems: None
206
207[Security]
208RULE: - Determine if the package may have security implications or history.
209RULE: Err on the side of caution.
210RULE: - If the package is security sensitive, you should review as much as you
211RULE: can and then assign to the ubuntu-security team. The bug will then be
212RULE: added to the prioritized list of MIR security reviews.
213RULE: - We do not block on, but want to recommend using enhanced isolation
214RULE: features, things like systemd isolation, apparmor and such shall at
215RULE: least have gotten a thought if they would help to mitigate risks in
216RULE: this case. If we spot a case where we think it should be either easy or
217RULE: very beneficial to use such features we should add them to recommended
218RULE: tasks.
219
220OK:
221TODO: - history of CVEs does not look concerning
222TODO: - does not run a daemon as root
223TODO: - does not use webkit1,2
224TODO: - does not use lib*v8 directly
225TODO: - does not parse data formats (files [images, video, audio,
226TODO: xml, json, asn.1], network packets, structures, ...) from
227TODO: an untrusted source.
228TODO: - does not expose any external endpoint (port/socket/... or similar)
229TODO: - does not process arbitrary web content
230TODO: - does not use centralized online accounts
231TODO: - does not integrate arbitrary javascript into the desktop
232TODO: - does not deal with system authentication (eg, pam), etc)
233TODO: - does not deal with security attestation (secure boot, tpm, signatures)
234TODO: - does not deal with cryptography (en-/decryption, certificates,
235TODO: signing, ...)
236TODO: - this makes appropriate (for its exposure) use of established risk
237TODO: mitigation features (dropping permissions, using temporary environments,
238TODO: restricted users/groups, seccomp, systemd isolation features,
239TODO: apparmor, ...)
240
241TODO-A: Problems:
242TODO-A: - TBD
243TODO-B: Problems: None
244
245[Common blockers]
246RULE: - There are plenty of testing requirements, hopefully already resolved
247RULE: by the reporter upfront, see "Quality assurance - testing" section of
248RULE: the Main Inclusion requirements
249RULE: - The MIR process shall ensure quality and maintainability, due to that
250RULE: the expectations to that are quite high, but especially in cases where
251RULE: special HW is needed that can be a hard to achieve which bloats the
252RULE: options below, it is a balance or compromise we need to strike between
253RULE: giving such cases a pass too easily and making them impossible.
254RULE: Please read (to keep this short) for more background:
255RULE: https://github.com/canonical/ubuntu-mir/issues/30
256
257OK:
258TODO: - does not FTBFS currently
259TODO: - does have a test suite that runs at build time
260TODO: - test suite fails will fail the build upon error.
261TODO: - does have a non-trivial test suite that runs as autopkgtest
262TODO-A: - This does seem to need special HW for build or test so it can't be
263TODO-A: automatic at build or autopkgtest time. But as outlined
264TODO-A: by the requester in [Quality assurance - testing] there:
265TODO-A1: - is hardware and a test plan or code
266TODO-A2: - are partner engagements and a test plan or code
267TODO-A3: - is community support to test this for Ubuntu
268TODO-A4: - a simulator and a test plan or code
269TODO-A5: - is upstream support to test this for Ubuntu
270TODO-A6: - an agreement with the manufacturer to test this for Ubuntu
271TODO-A7: - an agreement with solutions-qa to be able to test this for Ubuntu
272TODO-A8: - an agreement with another team to be able to test this for Ubuntu
273TODO-B: - This does not need special HW for build or test
274TODO-C: - This does need special HW for thorough testing, but all options to
275TODO-C: get this covered have been exhausted and based on demonstration of
276TODO-C: enough investigation and proof of why there is currently no other
277TODO-C: option it is accepted as-is as a compromise.
278TODO-C: The owning team is committed and aware of the implications for
279TODO-C: ongoing maintenance.
280TODO: - if a non-trivial test on this level does not make sense (the lib alone
281TODO: is only doing rather simple things), is the overall solution (app+libs)
282TODO: extensively covered i.e. via end to end autopkgtest ?
283TODO: - no new python2 dependency
284TODO: - Python package, but using dh_python
285TODO: - Go package, but using dh-golang
286
287TODO-A: Problems:
288TODO-A: - TBD
289TODO-B: Problems: None
290
291[Packaging red flags]
292RULE: - Does Ubuntu carry a non necessary delta?
293RULE: - If it's a library, does it either have a symbols file or use an empty
294RULE: argument to dh_makeshlibs -V? (pass such a patch on to Debian, but
295RULE: don't block on it).
296RULE: Note that for C++, see https://wiki.ubuntu.com/DailyRelease/FAQ
297RULE: for a method to demangle C++ symbols files.
298RULE: - There are shared object only meant for internal use, examples
299RULE: that come to mind are .so for perl or python implementation.
300RULE: in such cases symbols tracking is not needed as it isn't meant
301RULE: to expose an external API/ABI. But then in return we should ensure
302RULE: the package does not ship external headers to build against e.g.
303RULE: in a -dev package or similar.
304RULE: - Does it have a watch file? (If relevant, e.g. non-native)
305RULE: - Is its update history slow or sporadic?
306RULE: - Is the current release packaged?
307RULE: - Will entering main make it harder for the people currently keeping it
308RULE: up to date? (i.e. are they only MOTUs?)
309RULE: - Lintian warnings
310RULE: - Is debian/rules a mess? Ideally it uses dh and overrides to make it as
311RULE: tiny as possible.
312RULE: - If a package shall be promoted it should NOT be on the lto-disabled
313RULE: list, but the fix, or the workaround should be directly in the package
314RULE: to enforce maintainer awareness and make it more visible to anyone
315RULE: looking at the package - see https://wiki.ubuntu.com/ToolChain/LTO.
316
317OK:
318TODO-A: - Ubuntu does not carry a delta
319TODO-B: - Ubuntu does carry a delta, but it is reasonable and maintenance under
320TODO-B: control
321TODO-A: - symbols tracking is in place.
322TODO-B: - For c++ libraries - symbols tracking isn't in place but the owning
323TODO-B: team tried to set it up and came back with a reasonable rationale
324TODO-B: of why it isn't practical to do for the package.
325TODO-B: If symbols tracking isn't used then it's recommended to investigate
326TODO-B: using an alternative like abigail or abi-compliance-check in CI
327TODO-B: or bumping SOVER with every package update.
328TODO-C: - symbols tracking not applicable for this kind of code.
329TODO-D: - symbols tracking not applicable for this kind of code because it
330TODO-D: the shared objects are only used internally and no headers made
331TODO-D: available.
332TODO-A: - debian/watch is present and looks ok (if needed, e.g. non-native)
333TODO-B: - debian/watch is not present but also not needed (e.g. native)
334TODO: - Upstream update history is (good/slow/sporadic)
335TODO: - Debian/Ubuntu update history is (good/slow/sporadic)
336TODO: - the current release is packaged
337TODO: - promoting this does not seem to cause issues for MOTUs that so far
338TODO: maintained the package
339TODO: - no massive Lintian warnings
340TODO: - debian/rules is rather clean
341TODO: - It is not on the lto-disabled list
342RULE: (fix, or the workaround should be directly in the package,
343RULE: see https://launchpad.net/ubuntu/+source/lto-disabled-list)
344
345TODO-A: Problems:
346TODO-A: - TBD
347TODO-B: Problems: None
348
349[Upstream red flags]
350RULE: flag common issues:
351RULE: - if you see anything else odd, speak up and ask for clarification
352
353OK:
354TODO: - no Errors/warnings during the build
355TODO-A: - no incautious use of malloc/sprintf (as far as we can check it)
356TODO-B: - no incautious use of malloc/sprintf (the language has no direct MM)
357TODO: - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
358TODO: tests)
359TODO: - no use of user 'nobody' outside of tests
360RULE: (consider at least `grep -Hrn nobody` for it
361RULE: and run `find . -user nobody` in source and built binaries)
362TODO: - no use of setuid / setgid
363RULE: (consider at least `grep -Hrn -e setuid -e setgid` for it
364RULE: and run `find . \( -perm -4000 -o -perm -2000 \)` in source and
365RULE: built binaries)
366TODO: - use of setuid, but ok because TBD (prefer systemd to set those
367TODO: for services)
368TODO: - no important open bugs (crashers, etc) in Debian or Ubuntu
369RULE: Old dependencies, partially even still in main we want to get rid of over
370RULE: time. While they may be still there, we'd not want to add new
371RULE: dependencies. webkit = Web content engine library for GTK,
372RULE: qtwebkit = Web content engine library for Qt, libseed = GObject JavaScript
373RULE: bindings for the webkit engine
374TODO: - no dependency on webkit, qtwebkit or libseed
375TODO-A: - not part of the UI for extra checks
376TODO-B: - part of the UI, desktop file is ok
377TODO-A: - no translation present, but none needed for this case (user visible)?
378TODO-B: - translation present
379
380TODO-A: Problems:
381TODO-A: - TBD
382TODO-B: Problems: None