MainInclusionReportMlocate

Differences between revisions 3 and 4
Revision 3 as of 2008-02-14 10:01:52
Size: 3203
Editor: jan4
Comment: bug link fix
Revision 4 as of 2008-08-06 16:37:33
Size: 3223
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
 0. ''Availability:'' [http://archive.ubuntu.com/ubuntu/pool/universe/m/mlocate]; available for all supported architectures  0. ''Availability:'' [[http://archive.ubuntu.com/ubuntu/pool/universe/m/mlocate]]; available for all supported architectures
Line 10: Line 10:
  * [http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mlocate CVE entries]: none
  * [http://secunia.com/search/?search=mlocate Secunia history]: none
  * [[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mlocate|CVE entries]]: none
  * [[http://secunia.com/search/?search=mlocate|Secunia history]]: none
Line 16: Line 16:
  * `mlocate` works out of the box without requiring configuration, although it does require a `cron.daily` run before it is useful ([http://bugs.debian.org/456151 Debian bug #456151]).   * `mlocate` works out of the box without requiring configuration, although it does require a `cron.daily` run before it is useful ([[http://bugs.debian.org/456151|Debian bug #456151]]).
Line 18: Line 18:
  * [http://bugs.debian.org/src:mlocate Debian bugs]: one mentioned above, some trivial, none particularly serious
  * [http://packages.qa.debian.org/m/mlocate.html Maintenance in Debian] is calm but competent
  * [http://carolina.mff.cuni.cz/~trmac/blog/mlocate/ Upstream] is calm; eight releases from late 2005 to mid-2007.
  * [[http://bugs.debian.org/src:mlocate|Debian bugs]]: one mentioned above, some trivial, none particularly serious
  * [[http://packages.qa.debian.org/m/mlocate.html|Maintenance in Debian]] is calm but competent
  * [[http://carolina.mff.cuni.cz/~trmac/blog/mlocate/|Upstream]] is calm; eight releases from late 2005 to mid-2007.
Line 23: Line 23:
  * Complies with the [http://www.pathname.com/fhs/ FHS] and [http://www.de.debian.org/doc/debian-policy/ Debian Policy].   * Complies with the [[http://www.pathname.com/fhs/|FHS]] and [[http://www.de.debian.org/doc/debian-policy/|Debian Policy]].
Line 32: Line 32:
MIR bug: [https://bugs.launchpad.net/bugs/191775] MIR bug: [[https://bugs.launchpad.net/bugs/191775]]

Main Inclusion Report for mlocate

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/m/mlocate; available for all supported architectures

  2. Rationale:

  3. Security:

    • CVE entries: none

    • Secunia history: none

    • mlocate ships a version of updatedb that, as usual, runs as root from a daily cron job. The database it creates is owned by group mlocate and mode 0640 so that ordinary users cannot read it; /usr/bin/mlocate is setgid mlocate. This is essentially the same scheme as is used by slocate.

    • mlocate does not perform any network operations.

    • I (ColinWatson) performed a review of the code segments run with escalated privilege. I was impressed; the codebase is modern, well-written, well-commented, and was designed to entirely avoid the obvious attacks I could think of that involved passing it a malicious database. Its memory handling largely eschews traditional C support in favour of GNU obstacks, and completely avoids the usual dangerous string-handling functions. While I did not audit it exhaustively, its error handling seems reasonably complete and paranoid. Its build system is standard (though non-recursive) Autotools, using Autoconf, Automake, and Gnulib. It comes with a moderately-sized test suite.

  4. Quality assurance:

    • mlocate works out of the box without requiring configuration, although it does require a cron.daily run before it is useful (Debian bug #456151).

    • mlocate does not use debconf and asks no questions.

    • Debian bugs: one mentioned above, some trivial, none particularly serious

    • Maintenance in Debian is calm but competent

    • Upstream is calm; eight releases from late 2005 to mid-2007.

    • No upstream bug tracker. The author advertises his address @redhat.com for reporting bugs.

  5. Standards compliance:

    • Complies with the FHS and Debian Policy.

    • Packaged using debhelper, with no patch system. Nothing particularly unusual.
  6. Dependencies:

    • adduser, libc6.
  7. Background information:

    • This package's purpose is to be a drop-in replacement for slocate and GNU locate, with better performance in the daily cron update by merging into an existing database rather than constructing a new one from scratch. The intention of the author of this main inclusion report is that it should replace slocate in standard Ubuntu installations, and thereby allow locate(1) to keep working for old-school Unix users while reducing system load for those who don't care. This should be a happier compromise than the present situation.

Reviewers

MIR bug: https://bugs.launchpad.net/bugs/191775

ColinWatson (MIR author)

MainInclusionReportMlocate (last edited 2008-08-06 16:37:33 by localhost)