Main Inclusion Report for sourcepackage


  1. Availability:; available for all supported architectures.

  2. Rationale:

  3. Security:

    • CVE entries: none

    • Secunia history: none

    • Any binaries running as root or suid/sgid ? Any daemons ?
      • Restricted to the bare minimum. There are 3 daemons (upsd: data server ; upsmon: events notification and actions ; drivers) and a set of utils. Only 1 upsmon instances (on 2) run as root for being able to shutdown the system. Note that a solution exists to completely avoid root privileges (search for "Completely unprivileged upsmon").

    • Network activity: does it open any port ? Does it handle incoming network data ?
      • Yes. it's a client/server based set of tools. The port (3493) is IANA and /etc/servoces registered.
    • High level source code review performed by JamieStrandboge

      • confirmed that upsd and the ups drivers drop privileges in default installation. They do so in a sane way
      • upsmon is privilege separated in default installation, with the parent reading a single character from the child via a pipe. privilege separation and dropping of privileges done in a sane way
      • bug #182790 has information on further securing nut

      • since the nut tools run with minimal privileges, and has a good security history, there are no huge concerns. That said, a thorough audit for format string vulnerabilities might prove enlightening. The following functions all take a 'fmt' as an argument: upslog_with_errno(), upslogx(), upsdebug_with_errno(), upsdebugx(), vfatal(), fatal_with_errno(), fatalx(). Performing the following will show how many places to start to look to verify 'fmt' is not user-manipulable (there are a lot):

        for i in vupslog upslog_with_errno upslogx upsdebug_with_errno upsdebugx vfatal fatal_with_errno fatalx; do echo $i ; grep -r -c $i ./* | grep -v ':0' | grep '\.c:'; done
  4. Quality assurance:

    • In what situations does the package not work out of the box without configuration ?
      • Requires manual configuration as the external hw is not always autodetectable. Upstream has planned improvements on that side.

    • Does the package ask any debconf questions higher than priority 'medium' ?
      • yes but only if upgrading from versions < 2.2.0 for the core package and < 2.0.1 for the nut-cgi package.

    • Debian bugs: Several bugs at different severities.

    • Maintenance in Debian is very calm

    • Upstream is active

    • Hardware: Does this package deal with hardware and if so how exotic is it ?
      • Yes. It deals with external UPS'es. Not extremely exotic. And a must have feature for servers.
  5. Standards compliance:

    • FHS, Debian Policy.

      • Package looks FHS compliant, lintian complains on a bunch of things and the nut-dev package doesn't provide shared libraries (only static, but it's planned upstream).
    • Packaging system (debhelper/cdbs/dbs) ? Patch system ? Any packaging oddities ?
      • dpatch (on some versions).
  6. Dependencies:

    • Are these all in main ?
      • Build-deps and Depends are all in main.


MIR bug:

The author of this report should put their name here; reviewers will add comments etc. too

FabioMassimoDiNitto ArnaudQuette JamieStrandboge

MainInclusionReportNut (last edited 2008-08-06 16:28:51 by localhost)