MainInclusionReportUserv

Main Inclusion Report for userv

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/u/userv, available for all supported architectures.

  2. Rationale:

    • Dependency of autopkgtest-xenlvm setup as used in the Canonical datacentre.
    • Planned dependency of new ebox privsep arrangements.

  3. Security:

    • The package is a security boundary tool (ie, for assisting and providing privilege separation). It can be used as a more sane and more secure alternative to the privsep use case of sudo.

    • One security bug in July 2000: http://www.chiark.greenend.org.uk/pipermail/userv-announce/2000/000029.html (no CVE number).

    • Principal contents are a daemon which responds to requests from a setuid-root client program; this is the manner in which it provides the cross-security-boundary call facility. The daemon parent runs as root but drops privilege to the called user as soon as possible after forking (in particular, before reading the configuration).
    • Network activity: There is no networking involved. Only local (AF_UNIX) sockets are used, for within-machine interprocess communication.
    • Source code review: A colleague of the author did a source code review before initial release. No further review has been performed for Ubuntu. (NB that the author of this MIR is also the author of the program.)

  4. Quality assurance:

    • userv 1.0.6 should compile and work out of the box on all versions of Ubuntu (when appropriately compiled). 1.0.5 has a problem with /var/run on tmpfs: it fails to create /var/run/userv at each daemon startup. 1.0.6 will be synced from Debian ASAP.

    • The package does not ask any debconf questions.

    • There are no outstanding Debian or Ubuntu bugs against userv. (There is a bug in debiandoc-sgml which results in a small defect in the installed copy of the userv manual.)

    • Maintenance in Debian and upstream is very quiet, since the package is very stable.

    • There is no upstream bug tracker, just some mailing lists.

    • Hardware: userv does not deal with hardware at all.

  5. Standards compliance:

    • I believe the package compiles with the FHS and relevant parts of Debian policy.
    • Library packaging: not applicable - there are no libraries.
    • Packaging system: by-hand debian/rules. No patch system. Packaging is straightforward.

  6. Dependencies:

    • No runtime dependencies apart from libc.
    • Build-Depends: debiandoc-sgml, tetex-bin, tetex-extra (for documentation, all in main, although the tetex packages are transitional package names).

  7. Background information:

    • See userv homepage for upstream information. The documentation is online.

    • This package is GNU userv. It is not to be confused with "uServ" which is "a Java-based P2P work collaboration system based on the IBM Almaden Research Center's XML-based Vinci", "UServ Business Rules Model", the "Userv-A" virus, or other things with similar names.

Reviewers

This review was written by Ian Jackson who is also the upstream author and Debian maintainer.

MainInclusionReportUserv (last edited 2008-08-06 16:32:40 by localhost)