= Main Inclusion Report for mlocate =

== Requirements ==

 0. ''Availability:'' [[http://archive.ubuntu.com/ubuntu/pool/universe/m/mlocate]]; available for all supported architectures
 0. ''Rationale:''
  * Improved (faster) replacement for `slocate`
  * https://lists.ubuntu.com/archives/ubuntu-devel/2008-February/025065.html
 0. ''Security:''
  * [[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mlocate|CVE entries]]: none
  * [[http://secunia.com/search/?search=mlocate|Secunia history]]: none
  * `mlocate` ships a version of `updatedb` that, as usual, runs as root from a daily cron job. The database it creates is owned by group `mlocate` and mode 0640 so that ordinary users cannot read it; `/usr/bin/mlocate` is setgid `mlocate`. This is essentially the same scheme as is used by `slocate`.
  * `mlocate` does not perform any network operations.
  * I (ColinWatson) performed a review of the code segments run with escalated privilege. I was impressed; the codebase is modern, well-written, well-commented, and was designed to entirely avoid the obvious attacks I could think of that involved passing it a malicious database. Its memory handling largely eschews traditional C support in favour of GNU obstacks, and completely avoids the usual dangerous string-handling functions. While I did not audit it exhaustively, its error handling seems reasonably complete and paranoid. Its build system is standard (though non-recursive) Autotools, using Autoconf, Automake, and Gnulib. It comes with a moderately-sized test suite.
 0. ''Quality assurance:''
  * `mlocate` works out of the box without requiring configuration, although it does require a `cron.daily` run before it is useful ([[http://bugs.debian.org/456151|Debian bug #456151]]).
  * `mlocate` does not use debconf and asks no questions.
  * [[http://bugs.debian.org/src:mlocate|Debian bugs]]: one mentioned above, some trivial, none particularly serious
  * [[http://packages.qa.debian.org/m/mlocate.html|Maintenance in Debian]] is calm but competent
  * [[http://carolina.mff.cuni.cz/~trmac/blog/mlocate/|Upstream]] is calm; eight releases from late 2005 to mid-2007.
  * No upstream bug tracker. The author advertises his address `@redhat.com` for reporting bugs.
 0. ''Standards compliance:'' 
  * Complies with the [[http://www.pathname.com/fhs/|FHS]] and [[http://www.de.debian.org/doc/debian-policy/|Debian Policy]].
  * Packaged using debhelper, with no patch system. Nothing particularly unusual.
 0. ''Dependencies:''
  * adduser, libc6.
 0. ''Background information:''
  * This package's purpose is to be a drop-in replacement for `slocate` and GNU `locate`, with better performance in the daily cron update by merging into an existing database rather than constructing a new one from scratch. The intention of the author of this main inclusion report is that it should replace `slocate` in standard Ubuntu installations, and thereby allow `locate(1)` to keep working for old-school Unix users while reducing system load for those who don't care. This should be a happier compromise than the present situation.

== Reviewers ==

MIR bug: [[https://bugs.launchpad.net/bugs/191775]]

ColinWatson (MIR author)