MainInclusionReportConsolekit

Main Inclusion Report for consolekit

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/c/consolekit; available for all supported architectures or some subset ?

  2. Rationale:

  3. Security:

    • No CVE entries or Secunia reports and no vulnerabilities found in a general web search. However, the

    • There are no set-id binaries. However, the package's essential contents is a daemon which runs as root.
    • root privilege is needed because one of the main functions of the daemon is to make VT_* ioctls on /dev/console, which are restricted by the kernel to root. The daemon spawns dozens of threads, each of which calls VT_WAITACTIVE for one particular VT. It probably isn't practical to split off the VT handling without substantial structural changes to the program.
    • The daemon provides a dbus service to local clients. There is no use of the network.
    • I have delved into the code quite deeply. It's a confusing pile of gobject soup with lumps of dbus. Not very pleasant but it does seem to work. All unmarshalling of incoming dbus messages is done with code autogenerated by dbus-binding-tool, supplemented by occasional explicit calls to dbus unmarshalling functions. There are some calls to scanf but they only pick out integer values, not strings. I would expect the density of vulnerabilities to be manageable although I wouldn't go so far as to say that there are none.

  4. Quality assurance:

    • This package works out of the box without configuration, and be silently used by gdm and gnome-screensaver et al when installed and running.
    • The package doesn't ask any debconf questions.

    • There are no Debian bugs of any importance.

    • Maintenance in Debian is pretty calm. Upstream is freedesktop.

    • No very interesting upstream bugs; just one relevant one which we filed.

    • Hardware: No hardware dependencies.

  5. Standards compliance:

    • FHS, Debian Policy compliance is fine in consolekit.deb. I haven't examined the libck-connector packages, which we do not propose to promote at this time.

    • Debian library packaging guide standards compliance is only relevant for the library packages which will stay in universe.

    • Packaging system is cdbs. No patch system.

  6. Dependencies:

    • dbus and X libraries, all in main.

Reviewers

This review written by iwj 1.8.2007. MartinPitt: approved

MainInclusionReportConsolekit (last edited 2008-08-06 16:23:55 by localhost)