MainInclusionReportMlocate

Main Inclusion Report for mlocate

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/m/mlocate; available for all supported architectures

  2. Rationale:

  3. Security:

    • CVE entries: none

    • Secunia history: none

    • mlocate ships a version of updatedb that, as usual, runs as root from a daily cron job. The database it creates is owned by group mlocate and mode 0640 so that ordinary users cannot read it; /usr/bin/mlocate is setgid mlocate. This is essentially the same scheme as is used by slocate.

    • mlocate does not perform any network operations.

    • I (ColinWatson) performed a review of the code segments run with escalated privilege. I was impressed; the codebase is modern, well-written, well-commented, and was designed to entirely avoid the obvious attacks I could think of that involved passing it a malicious database. Its memory handling largely eschews traditional C support in favour of GNU obstacks, and completely avoids the usual dangerous string-handling functions. While I did not audit it exhaustively, its error handling seems reasonably complete and paranoid. Its build system is standard (though non-recursive) Autotools, using Autoconf, Automake, and Gnulib. It comes with a moderately-sized test suite.

  4. Quality assurance:

    • mlocate works out of the box without requiring configuration, although it does require a cron.daily run before it is useful (Debian bug #456151).

    • mlocate does not use debconf and asks no questions.

    • Debian bugs: one mentioned above, some trivial, none particularly serious

    • Maintenance in Debian is calm but competent

    • Upstream is calm; eight releases from late 2005 to mid-2007.

    • No upstream bug tracker. The author advertises his address @redhat.com for reporting bugs.

  5. Standards compliance:

    • Complies with the FHS and Debian Policy.

    • Packaged using debhelper, with no patch system. Nothing particularly unusual.
  6. Dependencies:

    • adduser, libc6.
  7. Background information:

    • This package's purpose is to be a drop-in replacement for slocate and GNU locate, with better performance in the daily cron update by merging into an existing database rather than constructing a new one from scratch. The intention of the author of this main inclusion report is that it should replace slocate in standard Ubuntu installations, and thereby allow locate(1) to keep working for old-school Unix users while reducing system load for those who don't care. This should be a happier compromise than the present situation.

Reviewers

MIR bug: https://bugs.launchpad.net/bugs/191775

ColinWatson (MIR author)

MainInclusionReportMlocate (last edited 2008-08-06 16:37:33 by localhost)