MIRprelink

Main Inclusion Report for prelink

Requirements

  1. Availability: universe; available for all supported architectures or some subset? currently needed only for amd64 and i386 (as build-dep of fglrx-installer), not currently built for armel

  2. Rationale:

    • Why is this package needed? This package includes logic for setting, clearing, or creating the GNU_STACK ELF section that declares if the stack for a given ELF should be executable or not. This tool, "execstack", would be used to force-clear exec-stack markings for ELF binaries we do not have the source to and ship in restricted (fglrx-installer, nvidia-*)

    • Build dependency of fglrx-installer if this MIR is approved

  3. Security:

    • no CVE entries

    • no Secunia history

    • Any binaries running as root or suid/sgid ? no Any daemons ? no, but a non-default cron job can be used to prelink binaries -- it is not expected this feature would ever be used in Ubuntu. If needed, "execstack" could be split to a separate binary deb and the rest of prelink pushed into universe.

    • Network activity: does it open any port ? no Does it handle incoming network data ? no

    • Does it directly (not through a library) process binary (video, audio, etc) or structured (PDF, etc) data ? yes: ELF binaries are parsed

    • Any source code review performed ? yes, did a quick check

  4. Quality assurance:

    • In what situations does the package not work out of the box without configuration ? works out of the box (defaults to disabled)

    • Does the package ask any debconf questions higher than priority 'medium' ? no

    • Debian bugs: most bugs are related to the prelink functionality, not the execstack functionality

    • Maintenance in Debian is calm

    • Upstream is calm

    • Upstream bug tracker: only prelink functionality bugs

    • Hardware: Does this package deal with hardware and if so how exotic is it ? no

    • Is there a test suite in the upstream source or packaging ? yes Is it enabled to run in the build ? no, believed to be unstable

  5. UI standards: not a GUI application

    • User-visible strings are internationalized using standard gettext system ? no

    • Package with translatable strings builds a PO template during package build ? no

    • End-user applications ship a desktop file ? no

  6. Standards compliance:

    • FHS, Debian Policy compliance ? yes

    • Packaging system (debhelper/cdbs/dbs) ? Patch system ? dpatch Any packaging oddities ? some minor RPMism-workarounds

  7. Dependencies:

    • libc6-dev (>> 2.3.5) | libc6.1-dev (>> 2.3.5), debhelper (>> 4.0.18), libelfg0-dev, libpopt-dev, dpatch (>= 1.11), libselinux1-dev

    • Are these all in main ? no, libelf needs MIR too

  8. Maintenance:

    • How much maintenance is this package likely to need ? very little (Simple packages may largely take care of themselves; complex packages will need dedicated developers paying attention to them.)

    • Who is responsible for monitoring the quality of this package and fixing its bugs ? ubuntu security team Are they Ubuntu or Debian developers ? yes

    • Who is the package bug contact in Ubuntu? standard (Needs one if its a nontrivial package which does not fully maintain itself through Debian)

  9. Background information:

    • The general purpose and context of the package should be clear from the package's debian/control file. If it isn't then please explain.

    • What do upstream call this software ? prelink Has it had different names in the past ? no

  10. Internationalization:

    • Are graphical applications translatable? Do they support gettext? N/A

Reviewers

MIR bug: https://launchpad.net/bugs/418456

KeesCook

MIRprelink (last edited 2009-08-25 06:39:29 by c-76-105-212-198)