2022-01-18 14:09:40 |
Andreas Hasenack |
description |
placeholder for MIR
- frr has its roots in quagga
- quagga is unmaintained upstream:
- we have been carrying the same version since bionic
- upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
- git mirror at https://github.com/Quagga/quagga shows last commit in 2018 (https://github.com/Quagga/quagga
- mailing lists have crickets (https://lists.quagga.net/pipermail/quagga-users/, https://lists.quagga.net/pipermail/quagga-dev/)
The proposal is to demote quagga, and promote ffr, for jammy.
I'll do the initial MIR evaluation, and thus assign this bug to me. Once the MIR template is filled out, I'll mark this bug as NEW again and unassigned. |
[Availability]
The package frr is already in Ubuntu universe.
The package builds for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, s390x, riscv64
Link to package: https://launchpad.net/ubuntu/+source/frr
[Rationale]
frr is a fork and replacement for quagga, which is what we have in main but is unmaintained by upstream.
About quagga:
- we have been carrying the same version since bionic
- upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
- git mirror at https://github.com/Quagga/quagga shows last commit in 2018 (https://github.com/Quagga/quagga
- mailing lists have crickets (https://lists.quagga.net/pipermail/quagga-users/, https://lists.quagga.net/pipermail/quagga-dev/)
The proposal is to demote quagga, and promote ffr, for jammy.
[Security]
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=frr
4 CVEs in older versions (jammy has 8.1)
CVE-2017-15865 - information leak
CVE-2017-5495 - DoS due to memleak
CVE-2019-5892 - DoS
CVE-2020-12831 - (disputed) info leak via an initially empty world readable config file
site:www.openwall.com/lists/oss-security frr
0 hits (the single hit was for the "frr" string in a pgp signature)
Ubuntu:
https://ubuntu.com/security/cve?q=frr&package=&priority=&version=&status=
https://ubuntu.com/security/CVE-2020-12831 needs triage: (disputed) info leak via an initially empty world readable config file
https://ubuntu.com/security/CVE-2017-5495 only affected quagga in ubuntu it seems
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package installs services:
/lib/systemd/system/frr.service
Right after installation, one daemon runs as root, the other two as "frr":
root 32148 0.0 0.0 7960 2892 ? Ss 14:02 0:00 /usr/lib/frr/watchfrr -d -F traditional zebra staticd
frr 32161 0.0 0.0 242848 7000 ? Ssl 14:02 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
frr 32166 0.0 0.0 9256 3608 ? Ss 14:02 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
Many more can be run depending on configuration, though. Default list in /etc/frr/daemons:
bgpd=no
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=no
fabricd=no
vrrpd=no
pathd=no
If all are enabled, we get this by default:
frr 1033 0.0 0.0 1722872 9648 ? Ssl 14:42 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
frr 1038 0.0 0.0 173100 9108 ? Ssl 14:42 0:00 /usr/lib/frr/bgpd -d -F traditional -A 127.0.0.1
frr 1045 0.0 0.0 9916 4192 ? Ss 14:42 0:00 /usr/lib/frr/ripd -d -F traditional -A 127.0.0.1
frr 1048 0.0 0.0 9660 3832 ? Ss 14:42 0:00 /usr/lib/frr/ripngd -d -F traditional -A ::1
frr 1051 0.0 0.0 11852 4900 ? Ss 14:42 0:00 /usr/lib/frr/ospfd -d -F traditional -A 127.0.0.1
frr 1054 0.0 0.0 10828 4632 ? Ss 14:42 0:00 /usr/lib/frr/ospf6d -d -F traditional -A ::1
frr 1057 0.0 0.0 11540 4884 ? Ss 14:42 0:00 /usr/lib/frr/isisd -d -F traditional -A 127.0.0.1
frr 1060 0.0 0.0 9388 3532 ? Ss 14:42 0:00 /usr/lib/frr/babeld -d -F traditional -A 127.0.0.1
frr 1063 0.0 0.0 11540 5088 ? Ss 14:42 0:00 /usr/lib/frr/pimd -d -F traditional -A 127.0.0.1
frr 1071 0.0 0.0 9692 5380 ? S 14:42 0:00 /usr/lib/frr/ldpd -L -u frr -g frr
frr 1072 0.0 0.0 9520 5376 ? S 14:42 0:00 /usr/lib/frr/ldpd -E -u frr -g frr
frr 1074 0.0 0.0 10288 3652 ? Ss 14:42 0:00 /usr/lib/frr/ldpd -d -F traditional -A 127.0.0.1
frr 1078 0.0 0.0 9968 3652 ? Ss 14:42 0:00 /usr/lib/frr/nhrpd -d -F traditional -A 127.0.0.1
frr 1082 0.0 0.0 9812 4000 ? Ss 14:42 0:00 /usr/lib/frr/eigrpd -d -F traditional -A 127.0.0.1
frr 1085 0.0 0.0 9232 3376 ? Ss 14:42 0:00 /usr/lib/frr/pbrd -d -F traditional -A 127.0.0.1
frr 1088 0.0 0.0 9204 3136 ? Ss 14:42 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
frr 1091 0.0 0.0 9496 3596 ? Ss 14:42 0:00 /usr/lib/frr/bfdd -d -F traditional -A 127.0.0.1
frr 1094 0.0 0.0 10460 4052 ? Ss 14:42 0:00 /usr/lib/frr/fabricd -d -F traditional -A 127.0.0.1
frr 1097 0.0 0.0 9256 3472 ? Ss 14:42 0:00 /usr/lib/frr/vrrpd -d -F traditional -A 127.0.0.1
frr 1101 0.0 0.0 9600 3728 ? Ss 14:42 0:00 /usr/lib/frr/pathd -d -F traditional -A 127.0.0.1
- Packages does not open privileged ports (ports < 1024)
The above daemons all listen on unprivileged high ports for the vty interface, but might open privileged ports once configured properly. For example, the RIP routing protocol uses 520/UDP.
- Packages does not contain extensions to security-sensitive software
No. But one could argue that routing is security sensitive.
[Quality assurance - function/usage]
- The package works well right after install
That being said, routing is very site specific. While all the daemons start and run if so requested, definitely some configuration will be needed for them to be useful.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
There are just two open bugs in Ubuntu, filed by me: https://bugs.launchpad.net/ubuntu/+source/frr
- one is this MIR
- the other is LP: #1958162, which I found after trying the package out. I think this one must be fixed, because logging is important.
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=frr
I would like to highlight this one: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000032: depends on obsolete pcre3 library
The current 8.1-1 upload has a build-depends on libpcre2-dev, replacing libpcre3-dev, so maybe it was fixed. Needs to be checked, as I tried some apt-cache show grepping for pcre and couldn't find any.
- Upstream: https://github.com/FRRouting/frr/issues
Many open and closed bugs, as expected from a busy project. I tried looking for serious ones, but didn't find obvious ones in the first few pages. Going through labels, there wasn't any indicating severity. Using the "security" label returned just one open issue, which might be a corner case and has some technical discussion:
https://github.com/FRRouting/frr/issues/8728
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log <TBD>
The build runs a test suite. Last build in jammy:
============================= test session starts ==============================
platform linux -- Python 3.9.8, pytest-6.2.5, py-1.10.0, pluggy-0.13.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /<<PKGBUILDDIR>>/tests, configfile: pytest.ini
collecting ... collected 440 items
bgpd/test_aspath.py::TestAspath::test_exit_cleanly PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq1 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq2 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq3 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seqset PASSED [ 1%]
bgpd/test_aspath.py::TestAspath::test_seqset2 PASSED [ 1%]
(...)
Link: https://launchpadlibrarian.net/568804185/buildlog_ubuntu-jammy-amd64.frr_8.1-1_BUILDING.txt.gz
There is no dh_auto_test override. I patched a random test to fail, and the build fail accordingly:
self = <test_aspath.TestAspath object at 0x7f6f7bd740a0>
line = 'basic 4-byte as-path'
okfail = re.compile(b'^(?:\\x1b\\[3[12]m)?(?P<ret>OK|failed)', re.MULTILINE)
def _okfail(self, line, okfail=re_okfail):
self._onesimple(line)
m = okfail.search(self.output)
if m is None:
raise MultiTestFailure("OK/fail not found")
self.output = self.output[m.end() :]
if m.group("ret") != "OK".encode("utf8"):
> raise MultiTestFailure("Test output indicates failure")
E frrtest.MultiTestFailure: Test output indicates failure
helpers/python/frrtest.py:160: MultiTestFailure
---- generated xml file: /home/ubuntu/git/packages/frr/frr/tests/tests.xml -----
=========================== short test summary info ============================
FAILED bgpd/test_aspath.py::TestAspath::test_exit_cleanly - frrtest.MultiTest...
FAILED bgpd/test_aspath.py::TestAspath::test_basic_4_byte_as_path - frrtest.M...
================== 2 failed, 433 passed, 5 skipped in 16.40s ===================
make[1]: *** [Makefile:15534: tests/tests.xml] Error 1
make[1]: Leaving directory '/home/ubuntu/git/packages/frr/frr'
dh_auto_test: error: make -j4 check VERBOSE=1 returned exit code 2
make: *** [debian/rules:33: build] Error 25
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
The package runs autopkgtests, and is currently passing on all arches but i386, where it's not available: https://autopkgtest.ubuntu.com/packages/frr
[Quality assurance - packaging]
- debian/watch is present and works
lintian is a bit noisy, mostly about documentation issues:
$ lintian -I --pedantic
E: frr changes: bad-distribution-in-changes-file unstable
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/doctools.js please use sphinx
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/language_data.js please use sphinx
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/searchtools.js please use sphinx
W: frr: groff-message usr/share/man/man1/frr.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message usr/share/man/man1/vtysh.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message usr/share/man/man8/frr-bfdd.8.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-normal-processing.png
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-rs-processing.png
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-vnc-commercial-route-reflector.png
W: frr-doc: info-document-missing-image-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: frr: mismatched-override spelling-error-in-binary usr/lib/frr/zebra writen written
W: frr source: possible-new-upstream-release-without-new-version
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:120
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:211
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:213
I: frr: acute-accent-in-manual-page ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: frr: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/frr/modules/zebra_cumulus_mlag.so
I: frr source: out-of-date-standards-version 4.5.0.3 (released 2020-01-20) (current is 4.5.1)
I: frr: spelling-error-in-binary usr/bin/vtysh configration configuration
I: frr: spelling-error-in-binary usr/bin/vtysh informtion information
I: frr: spelling-error-in-binary usr/lib/frr/bgpd Neighor Neighbor
I: frr: spelling-error-in-binary ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: frr: systemd-service-file-refers-to-var-run lib/systemd/system/frr.service PIDFile /var/run/frr/watchfrr.pid
I: frr: typo-in-manual-page usr/share/man/man1/vtysh.1.gz prefered preferred
I: frr-rpki-rtrlib: unused-override hardening-no-fortify-functions *
P: frr: executable-in-usr-lib usr/lib/frr/babeld
P: frr: executable-in-usr-lib usr/lib/frr/bfdd
P: frr: executable-in-usr-lib usr/lib/frr/bgpd
P: frr: executable-in-usr-lib ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: frr-pythontools: executable-in-usr-lib usr/lib/frr/frr-reload.py
P: frr-pythontools: executable-in-usr-lib usr/lib/frr/generate_support_bundle.py
P: frr source: package-lacks-versioned-build-depends-on-debhelper 10
P: frr source: package-uses-old-debhelper-compat-version 10
P: frr: renamed-tag manpage-without-executable => spare-manual-page in line 10
P: frr source: silent-on-rules-requiring-root
N: 24 hints overridden (24 info); 2 unused overrides
The existing overrides are well documented. Example:
$ cat debian/frr.lintian-overrides
# function names & co.
frr binary: spelling-error-in-binary usr/lib/*/frr/libfrr.so.0.0.0 writen written
frr binary: spelling-error-in-binary usr/lib/*/frr/libfrrospfapiclient.so.0.0.0 writen written
frr binary: spelling-error-in-binary usr/lib/frr/ospfd writen written
frr binary: spelling-error-in-binary usr/lib/frr/zebra writen written
frr binary: spelling-error-in-binary usr/lib/frr/pimd writen written
frr binary: spelling-error-in-binary usr/lib/frr/pimd iif if
# prefixed man pages for off-PATH daemons
manpage-without-executable
# personal name
spelling-error-in-copyright Ang And
- This package does not rely on obsolete or about to be demoted packages.
There is an open question about PCRE3. The latest upload changed the build-dep on libpcre3-dev to libpcre2-dev, which is what we want since PCRE3 is obsolete. I don't see evidence in the build logs, nor in the final package deps, that PCRE2 was used, though. The configure script checks for "pcreposix", which is part of PCRE3, and it is not found (because we installed libpcre2-dev):
Resulting config.h:
/* Define to 1 if you have the `pcreposix' library (-lpcreposix). */
/* #undef HAVE_LIBPCREPOSIX */
It's only checked for if ./configure is given --enable-pcreposix, which d/rules doesn't:
if test "$enable_pcreposix" = "yes"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for regexec in -lpcreposix" >&5
$ grep -i pcre debian/control debian/rules config.log
debian/control: libpcre2-dev,
config.log:HAVE_LIBPCREPOSIX=''
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/frr/tree/debian/rules
[UI standards]
There are no translations.
It's a server service with sysadmin oriented commands, config file and shell interface (vtysh).
[Dependencies]
There are two, or maybe just one, extra dependencies for which we will need MIRs:
libyang2: https://launchpad.net/ubuntu/+source/libyang2
librtr: https://launchpad.net/ubuntu/+source/librtr. This one is used in a separate binary package, and we might get away with keeping just this binary package (frr-rpki-rtrlib) in universe.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Team is already subscribed to the package
This does not use static builds
[Background information]
RULE: - The package descriptions should explain the general purpose and context
RULE: of the package. Additional explanations/justifications should be done in
RULE: the MIR report.
RULE: - If the package was renamed recently, or has a different upstream name,
RULE: this needs to be explained in the MIR report.
The Package description explains the package well
Upstream Name is Free Range Routing (frr)
Link to upstream project https://frrouting.org/
This is a fork and replacement for quagga, which is in main already for quite some time. Unfortunately upstream development stopped, and we should not keep quagga in main anymore. Ubuntu has been shipping the same build for many releases already:
quagga | 1.2.4-1 | bionic | source, amd64, arm64, armhf, i386, ppc64el, s390x
quagga | 1.2.4-4build1 | focal | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu1 | hirsute | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu2 | impish | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu2 | jammy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x |
|
2022-01-19 12:52:27 |
Andreas Hasenack |
description |
[Availability]
The package frr is already in Ubuntu universe.
The package builds for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, s390x, riscv64
Link to package: https://launchpad.net/ubuntu/+source/frr
[Rationale]
frr is a fork and replacement for quagga, which is what we have in main but is unmaintained by upstream.
About quagga:
- we have been carrying the same version since bionic
- upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
- git mirror at https://github.com/Quagga/quagga shows last commit in 2018 (https://github.com/Quagga/quagga
- mailing lists have crickets (https://lists.quagga.net/pipermail/quagga-users/, https://lists.quagga.net/pipermail/quagga-dev/)
The proposal is to demote quagga, and promote ffr, for jammy.
[Security]
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=frr
4 CVEs in older versions (jammy has 8.1)
CVE-2017-15865 - information leak
CVE-2017-5495 - DoS due to memleak
CVE-2019-5892 - DoS
CVE-2020-12831 - (disputed) info leak via an initially empty world readable config file
site:www.openwall.com/lists/oss-security frr
0 hits (the single hit was for the "frr" string in a pgp signature)
Ubuntu:
https://ubuntu.com/security/cve?q=frr&package=&priority=&version=&status=
https://ubuntu.com/security/CVE-2020-12831 needs triage: (disputed) info leak via an initially empty world readable config file
https://ubuntu.com/security/CVE-2017-5495 only affected quagga in ubuntu it seems
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package installs services:
/lib/systemd/system/frr.service
Right after installation, one daemon runs as root, the other two as "frr":
root 32148 0.0 0.0 7960 2892 ? Ss 14:02 0:00 /usr/lib/frr/watchfrr -d -F traditional zebra staticd
frr 32161 0.0 0.0 242848 7000 ? Ssl 14:02 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
frr 32166 0.0 0.0 9256 3608 ? Ss 14:02 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
Many more can be run depending on configuration, though. Default list in /etc/frr/daemons:
bgpd=no
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=no
fabricd=no
vrrpd=no
pathd=no
If all are enabled, we get this by default:
frr 1033 0.0 0.0 1722872 9648 ? Ssl 14:42 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
frr 1038 0.0 0.0 173100 9108 ? Ssl 14:42 0:00 /usr/lib/frr/bgpd -d -F traditional -A 127.0.0.1
frr 1045 0.0 0.0 9916 4192 ? Ss 14:42 0:00 /usr/lib/frr/ripd -d -F traditional -A 127.0.0.1
frr 1048 0.0 0.0 9660 3832 ? Ss 14:42 0:00 /usr/lib/frr/ripngd -d -F traditional -A ::1
frr 1051 0.0 0.0 11852 4900 ? Ss 14:42 0:00 /usr/lib/frr/ospfd -d -F traditional -A 127.0.0.1
frr 1054 0.0 0.0 10828 4632 ? Ss 14:42 0:00 /usr/lib/frr/ospf6d -d -F traditional -A ::1
frr 1057 0.0 0.0 11540 4884 ? Ss 14:42 0:00 /usr/lib/frr/isisd -d -F traditional -A 127.0.0.1
frr 1060 0.0 0.0 9388 3532 ? Ss 14:42 0:00 /usr/lib/frr/babeld -d -F traditional -A 127.0.0.1
frr 1063 0.0 0.0 11540 5088 ? Ss 14:42 0:00 /usr/lib/frr/pimd -d -F traditional -A 127.0.0.1
frr 1071 0.0 0.0 9692 5380 ? S 14:42 0:00 /usr/lib/frr/ldpd -L -u frr -g frr
frr 1072 0.0 0.0 9520 5376 ? S 14:42 0:00 /usr/lib/frr/ldpd -E -u frr -g frr
frr 1074 0.0 0.0 10288 3652 ? Ss 14:42 0:00 /usr/lib/frr/ldpd -d -F traditional -A 127.0.0.1
frr 1078 0.0 0.0 9968 3652 ? Ss 14:42 0:00 /usr/lib/frr/nhrpd -d -F traditional -A 127.0.0.1
frr 1082 0.0 0.0 9812 4000 ? Ss 14:42 0:00 /usr/lib/frr/eigrpd -d -F traditional -A 127.0.0.1
frr 1085 0.0 0.0 9232 3376 ? Ss 14:42 0:00 /usr/lib/frr/pbrd -d -F traditional -A 127.0.0.1
frr 1088 0.0 0.0 9204 3136 ? Ss 14:42 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
frr 1091 0.0 0.0 9496 3596 ? Ss 14:42 0:00 /usr/lib/frr/bfdd -d -F traditional -A 127.0.0.1
frr 1094 0.0 0.0 10460 4052 ? Ss 14:42 0:00 /usr/lib/frr/fabricd -d -F traditional -A 127.0.0.1
frr 1097 0.0 0.0 9256 3472 ? Ss 14:42 0:00 /usr/lib/frr/vrrpd -d -F traditional -A 127.0.0.1
frr 1101 0.0 0.0 9600 3728 ? Ss 14:42 0:00 /usr/lib/frr/pathd -d -F traditional -A 127.0.0.1
- Packages does not open privileged ports (ports < 1024)
The above daemons all listen on unprivileged high ports for the vty interface, but might open privileged ports once configured properly. For example, the RIP routing protocol uses 520/UDP.
- Packages does not contain extensions to security-sensitive software
No. But one could argue that routing is security sensitive.
[Quality assurance - function/usage]
- The package works well right after install
That being said, routing is very site specific. While all the daemons start and run if so requested, definitely some configuration will be needed for them to be useful.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
There are just two open bugs in Ubuntu, filed by me: https://bugs.launchpad.net/ubuntu/+source/frr
- one is this MIR
- the other is LP: #1958162, which I found after trying the package out. I think this one must be fixed, because logging is important.
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=frr
I would like to highlight this one: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000032: depends on obsolete pcre3 library
The current 8.1-1 upload has a build-depends on libpcre2-dev, replacing libpcre3-dev, so maybe it was fixed. Needs to be checked, as I tried some apt-cache show grepping for pcre and couldn't find any.
- Upstream: https://github.com/FRRouting/frr/issues
Many open and closed bugs, as expected from a busy project. I tried looking for serious ones, but didn't find obvious ones in the first few pages. Going through labels, there wasn't any indicating severity. Using the "security" label returned just one open issue, which might be a corner case and has some technical discussion:
https://github.com/FRRouting/frr/issues/8728
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log <TBD>
The build runs a test suite. Last build in jammy:
============================= test session starts ==============================
platform linux -- Python 3.9.8, pytest-6.2.5, py-1.10.0, pluggy-0.13.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /<<PKGBUILDDIR>>/tests, configfile: pytest.ini
collecting ... collected 440 items
bgpd/test_aspath.py::TestAspath::test_exit_cleanly PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq1 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq2 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq3 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seqset PASSED [ 1%]
bgpd/test_aspath.py::TestAspath::test_seqset2 PASSED [ 1%]
(...)
Link: https://launchpadlibrarian.net/568804185/buildlog_ubuntu-jammy-amd64.frr_8.1-1_BUILDING.txt.gz
There is no dh_auto_test override. I patched a random test to fail, and the build fail accordingly:
self = <test_aspath.TestAspath object at 0x7f6f7bd740a0>
line = 'basic 4-byte as-path'
okfail = re.compile(b'^(?:\\x1b\\[3[12]m)?(?P<ret>OK|failed)', re.MULTILINE)
def _okfail(self, line, okfail=re_okfail):
self._onesimple(line)
m = okfail.search(self.output)
if m is None:
raise MultiTestFailure("OK/fail not found")
self.output = self.output[m.end() :]
if m.group("ret") != "OK".encode("utf8"):
> raise MultiTestFailure("Test output indicates failure")
E frrtest.MultiTestFailure: Test output indicates failure
helpers/python/frrtest.py:160: MultiTestFailure
---- generated xml file: /home/ubuntu/git/packages/frr/frr/tests/tests.xml -----
=========================== short test summary info ============================
FAILED bgpd/test_aspath.py::TestAspath::test_exit_cleanly - frrtest.MultiTest...
FAILED bgpd/test_aspath.py::TestAspath::test_basic_4_byte_as_path - frrtest.M...
================== 2 failed, 433 passed, 5 skipped in 16.40s ===================
make[1]: *** [Makefile:15534: tests/tests.xml] Error 1
make[1]: Leaving directory '/home/ubuntu/git/packages/frr/frr'
dh_auto_test: error: make -j4 check VERBOSE=1 returned exit code 2
make: *** [debian/rules:33: build] Error 25
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
The package runs autopkgtests, and is currently passing on all arches but i386, where it's not available: https://autopkgtest.ubuntu.com/packages/frr
[Quality assurance - packaging]
- debian/watch is present and works
lintian is a bit noisy, mostly about documentation issues:
$ lintian -I --pedantic
E: frr changes: bad-distribution-in-changes-file unstable
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/doctools.js please use sphinx
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/language_data.js please use sphinx
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/searchtools.js please use sphinx
W: frr: groff-message usr/share/man/man1/frr.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message usr/share/man/man1/vtysh.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message usr/share/man/man8/frr-bfdd.8.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-normal-processing.png
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-rs-processing.png
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-vnc-commercial-route-reflector.png
W: frr-doc: info-document-missing-image-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: frr: mismatched-override spelling-error-in-binary usr/lib/frr/zebra writen written
W: frr source: possible-new-upstream-release-without-new-version
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:120
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:211
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:213
I: frr: acute-accent-in-manual-page ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: frr: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/frr/modules/zebra_cumulus_mlag.so
I: frr source: out-of-date-standards-version 4.5.0.3 (released 2020-01-20) (current is 4.5.1)
I: frr: spelling-error-in-binary usr/bin/vtysh configration configuration
I: frr: spelling-error-in-binary usr/bin/vtysh informtion information
I: frr: spelling-error-in-binary usr/lib/frr/bgpd Neighor Neighbor
I: frr: spelling-error-in-binary ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: frr: systemd-service-file-refers-to-var-run lib/systemd/system/frr.service PIDFile /var/run/frr/watchfrr.pid
I: frr: typo-in-manual-page usr/share/man/man1/vtysh.1.gz prefered preferred
I: frr-rpki-rtrlib: unused-override hardening-no-fortify-functions *
P: frr: executable-in-usr-lib usr/lib/frr/babeld
P: frr: executable-in-usr-lib usr/lib/frr/bfdd
P: frr: executable-in-usr-lib usr/lib/frr/bgpd
P: frr: executable-in-usr-lib ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: frr-pythontools: executable-in-usr-lib usr/lib/frr/frr-reload.py
P: frr-pythontools: executable-in-usr-lib usr/lib/frr/generate_support_bundle.py
P: frr source: package-lacks-versioned-build-depends-on-debhelper 10
P: frr source: package-uses-old-debhelper-compat-version 10
P: frr: renamed-tag manpage-without-executable => spare-manual-page in line 10
P: frr source: silent-on-rules-requiring-root
N: 24 hints overridden (24 info); 2 unused overrides
The existing overrides are well documented. Example:
$ cat debian/frr.lintian-overrides
# function names & co.
frr binary: spelling-error-in-binary usr/lib/*/frr/libfrr.so.0.0.0 writen written
frr binary: spelling-error-in-binary usr/lib/*/frr/libfrrospfapiclient.so.0.0.0 writen written
frr binary: spelling-error-in-binary usr/lib/frr/ospfd writen written
frr binary: spelling-error-in-binary usr/lib/frr/zebra writen written
frr binary: spelling-error-in-binary usr/lib/frr/pimd writen written
frr binary: spelling-error-in-binary usr/lib/frr/pimd iif if
# prefixed man pages for off-PATH daemons
manpage-without-executable
# personal name
spelling-error-in-copyright Ang And
- This package does not rely on obsolete or about to be demoted packages.
There is an open question about PCRE3. The latest upload changed the build-dep on libpcre3-dev to libpcre2-dev, which is what we want since PCRE3 is obsolete. I don't see evidence in the build logs, nor in the final package deps, that PCRE2 was used, though. The configure script checks for "pcreposix", which is part of PCRE3, and it is not found (because we installed libpcre2-dev):
Resulting config.h:
/* Define to 1 if you have the `pcreposix' library (-lpcreposix). */
/* #undef HAVE_LIBPCREPOSIX */
It's only checked for if ./configure is given --enable-pcreposix, which d/rules doesn't:
if test "$enable_pcreposix" = "yes"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for regexec in -lpcreposix" >&5
$ grep -i pcre debian/control debian/rules config.log
debian/control: libpcre2-dev,
config.log:HAVE_LIBPCREPOSIX=''
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/frr/tree/debian/rules
[UI standards]
There are no translations.
It's a server service with sysadmin oriented commands, config file and shell interface (vtysh).
[Dependencies]
There are two, or maybe just one, extra dependencies for which we will need MIRs:
libyang2: https://launchpad.net/ubuntu/+source/libyang2
librtr: https://launchpad.net/ubuntu/+source/librtr. This one is used in a separate binary package, and we might get away with keeping just this binary package (frr-rpki-rtrlib) in universe.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Team is already subscribed to the package
This does not use static builds
[Background information]
RULE: - The package descriptions should explain the general purpose and context
RULE: of the package. Additional explanations/justifications should be done in
RULE: the MIR report.
RULE: - If the package was renamed recently, or has a different upstream name,
RULE: this needs to be explained in the MIR report.
The Package description explains the package well
Upstream Name is Free Range Routing (frr)
Link to upstream project https://frrouting.org/
This is a fork and replacement for quagga, which is in main already for quite some time. Unfortunately upstream development stopped, and we should not keep quagga in main anymore. Ubuntu has been shipping the same build for many releases already:
quagga | 1.2.4-1 | bionic | source, amd64, arm64, armhf, i386, ppc64el, s390x
quagga | 1.2.4-4build1 | focal | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu1 | hirsute | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu2 | impish | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu2 | jammy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x |
[Availability]
The package frr is already in Ubuntu universe.
The package builds for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, s390x, riscv64
Link to package: https://launchpad.net/ubuntu/+source/frr
[Rationale]
frr is a fork and replacement for quagga, which is what we have in main but is unmaintained by upstream.
About quagga:
- we have been carrying the same version since bionic
- upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
- git mirror at https://github.com/Quagga/quagga shows last commit in 2018 (https://github.com/Quagga/quagga
- mailing lists have crickets (https://lists.quagga.net/pipermail/quagga-users/, https://lists.quagga.net/pipermail/quagga-dev/)
The proposal is to demote quagga, and promote ffr, for jammy.
[Security]
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=frr
4 CVEs in older versions (jammy has 8.1)
CVE-2017-15865 - information leak
CVE-2017-5495 - DoS due to memleak
CVE-2019-5892 - DoS
CVE-2020-12831 - (disputed) info leak via an initially empty world readable config file
site:www.openwall.com/lists/oss-security frr
0 hits (the single hit was for the "frr" string in a pgp signature)
Ubuntu:
https://ubuntu.com/security/cve?q=frr&package=&priority=&version=&status=
https://ubuntu.com/security/CVE-2020-12831 needs triage: (disputed) info leak via an initially empty world readable config file
https://ubuntu.com/security/CVE-2017-5495 only affected quagga in ubuntu it seems
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package installs services:
/lib/systemd/system/frr.service
Right after installation, one daemon runs as root, the other two as "frr":
root 32148 0.0 0.0 7960 2892 ? Ss 14:02 0:00 /usr/lib/frr/watchfrr -d -F traditional zebra staticd
frr 32161 0.0 0.0 242848 7000 ? Ssl 14:02 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
frr 32166 0.0 0.0 9256 3608 ? Ss 14:02 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
Many more can be run depending on configuration, though. Default list in /etc/frr/daemons:
bgpd=no
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=no
fabricd=no
vrrpd=no
pathd=no
If all are enabled, we get this by default:
frr 1033 0.0 0.0 1722872 9648 ? Ssl 14:42 0:00 /usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
frr 1038 0.0 0.0 173100 9108 ? Ssl 14:42 0:00 /usr/lib/frr/bgpd -d -F traditional -A 127.0.0.1
frr 1045 0.0 0.0 9916 4192 ? Ss 14:42 0:00 /usr/lib/frr/ripd -d -F traditional -A 127.0.0.1
frr 1048 0.0 0.0 9660 3832 ? Ss 14:42 0:00 /usr/lib/frr/ripngd -d -F traditional -A ::1
frr 1051 0.0 0.0 11852 4900 ? Ss 14:42 0:00 /usr/lib/frr/ospfd -d -F traditional -A 127.0.0.1
frr 1054 0.0 0.0 10828 4632 ? Ss 14:42 0:00 /usr/lib/frr/ospf6d -d -F traditional -A ::1
frr 1057 0.0 0.0 11540 4884 ? Ss 14:42 0:00 /usr/lib/frr/isisd -d -F traditional -A 127.0.0.1
frr 1060 0.0 0.0 9388 3532 ? Ss 14:42 0:00 /usr/lib/frr/babeld -d -F traditional -A 127.0.0.1
frr 1063 0.0 0.0 11540 5088 ? Ss 14:42 0:00 /usr/lib/frr/pimd -d -F traditional -A 127.0.0.1
frr 1071 0.0 0.0 9692 5380 ? S 14:42 0:00 /usr/lib/frr/ldpd -L -u frr -g frr
frr 1072 0.0 0.0 9520 5376 ? S 14:42 0:00 /usr/lib/frr/ldpd -E -u frr -g frr
frr 1074 0.0 0.0 10288 3652 ? Ss 14:42 0:00 /usr/lib/frr/ldpd -d -F traditional -A 127.0.0.1
frr 1078 0.0 0.0 9968 3652 ? Ss 14:42 0:00 /usr/lib/frr/nhrpd -d -F traditional -A 127.0.0.1
frr 1082 0.0 0.0 9812 4000 ? Ss 14:42 0:00 /usr/lib/frr/eigrpd -d -F traditional -A 127.0.0.1
frr 1085 0.0 0.0 9232 3376 ? Ss 14:42 0:00 /usr/lib/frr/pbrd -d -F traditional -A 127.0.0.1
frr 1088 0.0 0.0 9204 3136 ? Ss 14:42 0:00 /usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
frr 1091 0.0 0.0 9496 3596 ? Ss 14:42 0:00 /usr/lib/frr/bfdd -d -F traditional -A 127.0.0.1
frr 1094 0.0 0.0 10460 4052 ? Ss 14:42 0:00 /usr/lib/frr/fabricd -d -F traditional -A 127.0.0.1
frr 1097 0.0 0.0 9256 3472 ? Ss 14:42 0:00 /usr/lib/frr/vrrpd -d -F traditional -A 127.0.0.1
frr 1101 0.0 0.0 9600 3728 ? Ss 14:42 0:00 /usr/lib/frr/pathd -d -F traditional -A 127.0.0.1
- Packages does not open privileged ports (ports < 1024)
The above daemons all listen on unprivileged high ports for the vty interface, but might open privileged ports once configured properly. For example, the RIP routing protocol uses 520/UDP.
- Packages does not contain extensions to security-sensitive software
No. But one could argue that routing is security sensitive.
[Quality assurance - function/usage]
- The package works well right after install
That being said, routing is very site specific. While all the daemons start and run if so requested, definitely some configuration will be needed for them to be useful.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
There are just two open bugs in Ubuntu, filed by me: https://bugs.launchpad.net/ubuntu/+source/frr
- one is this MIR
- the other is LP: #1958162, which I found after trying the package out. I think this one must be fixed, because logging is important.
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=frr
I would like to highlight this one: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000032: depends on obsolete pcre3 library
The current 8.1-1 upload has a build-depends on libpcre2-dev, replacing libpcre3-dev, so maybe it was fixed. Needs to be checked, as I tried some apt-cache show grepping for pcre and couldn't find any.
- Upstream: https://github.com/FRRouting/frr/issues
Many open and closed bugs, as expected from a busy project. I tried looking for serious ones, but didn't find obvious ones in the first few pages. Going through labels, there wasn't any indicating severity. Using the "security" label returned just one open issue, which might be a corner case and has some technical discussion:
https://github.com/FRRouting/frr/issues/8728
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log <TBD>
The build runs a test suite. Last build in jammy:
============================= test session starts ==============================
platform linux -- Python 3.9.8, pytest-6.2.5, py-1.10.0, pluggy-0.13.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /<<PKGBUILDDIR>>/tests, configfile: pytest.ini
collecting ... collected 440 items
bgpd/test_aspath.py::TestAspath::test_exit_cleanly PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq1 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq2 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seq3 PASSED [ 0%]
bgpd/test_aspath.py::TestAspath::test_seqset PASSED [ 1%]
bgpd/test_aspath.py::TestAspath::test_seqset2 PASSED [ 1%]
(...)
Link: https://launchpadlibrarian.net/568804185/buildlog_ubuntu-jammy-amd64.frr_8.1-1_BUILDING.txt.gz
There is no dh_auto_test override. I patched a random test to fail, and the build fail accordingly:
self = <test_aspath.TestAspath object at 0x7f6f7bd740a0>
line = 'basic 4-byte as-path'
okfail = re.compile(b'^(?:\\x1b\\[3[12]m)?(?P<ret>OK|failed)', re.MULTILINE)
def _okfail(self, line, okfail=re_okfail):
self._onesimple(line)
m = okfail.search(self.output)
if m is None:
raise MultiTestFailure("OK/fail not found")
self.output = self.output[m.end() :]
if m.group("ret") != "OK".encode("utf8"):
> raise MultiTestFailure("Test output indicates failure")
E frrtest.MultiTestFailure: Test output indicates failure
helpers/python/frrtest.py:160: MultiTestFailure
---- generated xml file: /home/ubuntu/git/packages/frr/frr/tests/tests.xml -----
=========================== short test summary info ============================
FAILED bgpd/test_aspath.py::TestAspath::test_exit_cleanly - frrtest.MultiTest...
FAILED bgpd/test_aspath.py::TestAspath::test_basic_4_byte_as_path - frrtest.M...
================== 2 failed, 433 passed, 5 skipped in 16.40s ===================
make[1]: *** [Makefile:15534: tests/tests.xml] Error 1
make[1]: Leaving directory '/home/ubuntu/git/packages/frr/frr'
dh_auto_test: error: make -j4 check VERBOSE=1 returned exit code 2
make: *** [debian/rules:33: build] Error 25
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
The package runs autopkgtests, and is currently passing on all arches but i386, where it's not available: https://autopkgtest.ubuntu.com/packages/frr
[Quality assurance - packaging]
- debian/watch is present and works
lintian is a bit noisy, mostly about documentation issues:
$ lintian -I --pedantic
E: frr changes: bad-distribution-in-changes-file unstable
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/doctools.js please use sphinx
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/language_data.js please use sphinx
W: frr-doc: embedded-javascript-library usr/share/doc/frr/html/_static/searchtools.js please use sphinx
W: frr: groff-message usr/share/man/man1/frr.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message usr/share/man/man1/vtysh.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message usr/share/man/man8/frr-bfdd.8.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8
W: frr: groff-message ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-normal-processing.png
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-rs-processing.png
W: frr-doc: info-document-missing-image-file usr/share/info/frr.info.gz frr-figures/fig-vnc-commercial-route-reflector.png
W: frr-doc: info-document-missing-image-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: frr: mismatched-override spelling-error-in-binary usr/lib/frr/zebra writen written
W: frr source: possible-new-upstream-release-without-new-version
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:120
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:211
I: frr: acute-accent-in-manual-page usr/share/man/man8/frr-bfdd.8.gz:213
I: frr: acute-accent-in-manual-page ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: frr: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/frr/modules/zebra_cumulus_mlag.so
I: frr source: out-of-date-standards-version 4.5.0.3 (released 2020-01-20) (current is 4.5.1)
I: frr: spelling-error-in-binary usr/bin/vtysh configration configuration
I: frr: spelling-error-in-binary usr/bin/vtysh informtion information
I: frr: spelling-error-in-binary usr/lib/frr/bgpd Neighor Neighbor
I: frr: spelling-error-in-binary ... use --no-tag-display-limit to see all (or pipe to a file/program)
I: frr: systemd-service-file-refers-to-var-run lib/systemd/system/frr.service PIDFile /var/run/frr/watchfrr.pid
I: frr: typo-in-manual-page usr/share/man/man1/vtysh.1.gz prefered preferred
I: frr-rpki-rtrlib: unused-override hardening-no-fortify-functions *
P: frr: executable-in-usr-lib usr/lib/frr/babeld
P: frr: executable-in-usr-lib usr/lib/frr/bfdd
P: frr: executable-in-usr-lib usr/lib/frr/bgpd
P: frr: executable-in-usr-lib ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: frr-pythontools: executable-in-usr-lib usr/lib/frr/frr-reload.py
P: frr-pythontools: executable-in-usr-lib usr/lib/frr/generate_support_bundle.py
P: frr source: package-lacks-versioned-build-depends-on-debhelper 10
P: frr source: package-uses-old-debhelper-compat-version 10
P: frr: renamed-tag manpage-without-executable => spare-manual-page in line 10
P: frr source: silent-on-rules-requiring-root
N: 24 hints overridden (24 info); 2 unused overrides
The existing overrides are well documented. Example:
$ cat debian/frr.lintian-overrides
# function names & co.
frr binary: spelling-error-in-binary usr/lib/*/frr/libfrr.so.0.0.0 writen written
frr binary: spelling-error-in-binary usr/lib/*/frr/libfrrospfapiclient.so.0.0.0 writen written
frr binary: spelling-error-in-binary usr/lib/frr/ospfd writen written
frr binary: spelling-error-in-binary usr/lib/frr/zebra writen written
frr binary: spelling-error-in-binary usr/lib/frr/pimd writen written
frr binary: spelling-error-in-binary usr/lib/frr/pimd iif if
# prefixed man pages for off-PATH daemons
manpage-without-executable
# personal name
spelling-error-in-copyright Ang And
- This package does not rely on obsolete or about to be demoted packages.
There is an open question about PCRE3. The latest upload changed the build-dep on libpcre3-dev to libpcre2-dev, which is what we want since PCRE3 is obsolete. I don't see evidence in the build logs, nor in the final package deps, that PCRE2 was used, though. The configure script checks for "pcreposix", which is part of PCRE3, and it is not found (because we installed libpcre2-dev):
Resulting config.h:
/* Define to 1 if you have the `pcreposix' library (-lpcreposix). */
/* #undef HAVE_LIBPCREPOSIX */
It's only checked for if ./configure is given --enable-pcreposix, which d/rules doesn't:
if test "$enable_pcreposix" = "yes"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for regexec in -lpcreposix" >&5
$ grep -i pcre debian/control debian/rules config.log
debian/control: libpcre2-dev,
config.log:HAVE_LIBPCREPOSIX=''
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/frr/tree/debian/rules
[UI standards]
There are no translations.
It's a server service with sysadmin oriented commands, config file and shell interface (vtysh).
[Dependencies]
There are two, or maybe just one, extra dependencies for which we will need MIRs:
libyang2: https://launchpad.net/ubuntu/+source/libyang2 #1958293
librtr: https://launchpad.net/ubuntu/+source/librtr. This one is used in a separate binary package, and we might get away with keeping just this binary package (frr-rpki-rtrlib) in universe.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Team is already subscribed to the package
This does not use static builds
[Background information]
RULE: - The package descriptions should explain the general purpose and context
RULE: of the package. Additional explanations/justifications should be done in
RULE: the MIR report.
RULE: - If the package was renamed recently, or has a different upstream name,
RULE: this needs to be explained in the MIR report.
The Package description explains the package well
Upstream Name is Free Range Routing (frr)
Link to upstream project https://frrouting.org/
This is a fork and replacement for quagga, which is in main already for quite some time. Unfortunately upstream development stopped, and we should not keep quagga in main anymore. Ubuntu has been shipping the same build for many releases already:
quagga | 1.2.4-1 | bionic | source, amd64, arm64, armhf, i386, ppc64el, s390x
quagga | 1.2.4-4build1 | focal | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu1 | hirsute | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu2 | impish | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
quagga | 1.2.4-4ubuntu2 | jammy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x |
|