Main Inclusion Report for mlocate
Availability: [http://archive.ubuntu.com/ubuntu/pool/universe/m/mlocate]; available for all supported architectures
Improved (faster) replacement for slocate
[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mlocate CVE entries]: none
[http://secunia.com/search/?search=mlocate Secunia history]: none
mlocate ships a version of updatedb that, as usual, runs as root from a daily cron job. The database it creates is owned by group mlocate and mode 0640 so that ordinary users cannot read it; /usr/bin/mlocate is setgid mlocate. This is essentially the same scheme as is used by slocate.
mlocate does not perform any network operations.
I (ColinWatson) performed a review of the code segments run with escalated privilege. I was impressed; the codebase is modern, well-written, well-commented, and was designed to entirely avoid the obvious attacks I could think of that involved passing it a malicious database. Its memory handling largely eschews traditional C support in favour of GNU obstacks, and completely avoids the usual dangerous string-handling functions. While I did not audit it exhaustively, its error handling seems reasonably complete and paranoid. Its build system is standard (though non-recursive) Autotools, using Autoconf, Automake, and Gnulib. It comes with a moderately-sized test suite.
mlocate works out of the box without requiring configuration, although it does require a cron.daily run before it is useful ([http://bugs.debian.org/456151 Debian bug #456151]).
mlocate does not use debconf and asks no questions.
[http://bugs.debian.org/src:mlocate Debian bugs]: one mentioned above, some trivial, none particularly serious
[http://packages.qa.debian.org/m/mlocate.html Maintenance in Debian] is calm but competent
[http://carolina.mff.cuni.cz/~trmac/blog/mlocate/ Upstream] is calm; eight releases from late 2005 to mid-2007.
No upstream bug tracker. The author advertises his address @redhat.com for reporting bugs.
- adduser, libc6.
This package's purpose is to be a drop-in replacement for slocate and GNU locate, with better performance in the daily cron update by merging into an existing database rather than constructing a new one from scratch. The intention of the author of this main inclusion report is that it should replace slocate in standard Ubuntu installations, and thereby allow locate(1) to keep working for old-school Unix users while reducing system load for those who don't care. This should be a happier compromise than the present situation.
MIR bug: [https://bugs.launchpad.net/191775]
ColinWatson (MIR author)