[MIR]: libyang2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libyang2 (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Availability]
The package libyang2 is already in Ubuntu universe.
The package libyang2 builds for the architectures it is designed to work on.
It currently builds and works for architetcures (all but i386): amd64 arm64 armhf ppc64el riscv64 s390x
Link to package: https:/
[Rationale]
- The package libyang2 is a new runtime dependency of package frr
which is an ongoing MIR at #1951834
[Security]
- Search in the National Vulnerability Database using the PKG as keyword
http://
libyang had quite a few CVEs: https:/
But all in major version 1. Version 2 (subject of this MIR) doesn't have CVEs yet.
Going over the above CVEs for 2021, for example, shows that only gentoo issued advisories. The remaining ones for 2019 had a mix of Redhat and Fedora advisories, and not even gentoo ones.
- check OSS security mailing list (feed into search engine
'site:
No results (libyang2, libyang). "yang" returns results for a person with that name.
Not a single triaged CVE for libyang v1: https:/
v2 has no Ubuntu CVEs (makes sense: it'a s new package in jammy): https:/
Debian security tracker: https:/
libyang2 has no entries yet in the debian security tracker: https:/
Looks like Debian never issued a DSA for these.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services
- libyang is a schema validator, and bugs can become vulnerabilities if untrusted input is parsed incorrectly.
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
No launchpad bugs for either libyang or libyang2
- Debian https:/
CVE bug: https:/
Probably not handled because libyang2 is replacing libyang(1), and doesn't have these vulns
- Debian https:/
No bugs yet against libyang2
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package has a test suite, but it was originally disabled. I filed this bug and enabled its: https:/
The current package in jammy runs tests at build time:
libyang2 (2.0.112-6ubuntu1) jammy; urgency=medium
* Enable build time tests (LP: #1958385):
- d/rules: set -DENABLE_TESTS=ON
- d/p/fix-
to __FILE__ being a relative path
-- Andreas Hasenack <email address hidden> Thu, 20 Jan 2022 21:03:40 +0000
Upstream already provided a fix for the test failures.
- The package runs an autopkgtest, and is currently passing on
this all arches except i386 (it's not built for i386):
https:/
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- lintian run is ok-ish:
$ lintian -I --pedantic
E: libyang2 changes: bad-distributio
W: libyang2-tools: groff-message usr/share/
W: libyang2-tools: groff-message usr/share/
I: libyang2 source: out-of-
I: libyang2: spelling-
I: libyang2: symbols-
I: libyang2 source: unused-
I: libyang2 source: unused-
I: libyang2 source: unused-
I: libyang2 source: unused-
I: libyang2 source: wildcard-
I: libyang2 source: wildcard-
I: libyang2 source: wildcard-
I: libyang2 source: wildcard-
P: libyang2 source: package-
P: libyang2 source: silent-
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
Note that libyang1 relied on pcre3, but libyang2 (this package) uses pcre2 already.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy: https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
$ check-mir
Checking support status of build dependencies...
* libcmocka-dev binary and source package is in universe
Checking support status of binary dependencies...
* libyang2 binary and source package is in universe
* libyang2 binary and source package is in universe
* libyang2-tools binary and source package is in universe
cmocka is used for unit tests only, at build time, when enabled
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Server Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
[Background information]
- The Package description explains the package well
- Upstream Name is libyang
- Link to upstream project: https:/
description: | updated |
tags: | added: server-todo |
summary: |
- [MIR}: libyang2 + [MIR]: libyang2 |
description: | updated |
Changed in libyang2 (Ubuntu): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Review for Package: src:libyang2
[Summary]
libyang2 source package is a parser toolkit for IETF YANG data modelling.
It provides :
* the library (libyang2) which implements functions to process schemas expressed in
YANG data modelling language. The schemas primarily describe network equipment configuration.
* development files (libyang2-dev)
* executable tools (libyang2-tools, libyang-tools) which can be used for the creation
of IETF YANG schemas.
MIR team ACK
This does need a security review because it parses data formats, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: libyang2, libyang2-dev
Specific binary packages built, but NOT to be promoted to main: libyang2-tools, libyang-tools (no dependency on them)
Notes: /launchpadlibra rian.net/ 581476001/ buildlog_ ubuntu- jammy-amd64. libyang2_ 2.0.112- 6ubuntu1_ BUILDING. txt.gz) /./src/ parser_ json.c: In function ‘lydjson_ data_skip’ : /./src/ parser_ json.c: 304:46: warning: ‘current’ may be used uninitialized in this function [-Wmaybe- uninitialized] /./src/ parser_ json.c: 283:39: note: ‘current’ was declared here
Recommended TODOs:
- The package provides one autopackage test. It would be nice to have more.
- In the buildlog (https:/
there are 2 warnings reported many times. It would be nice to report them upstream to be fixed.
The warnings are :
../..
../..
../..
../.. /./src/ schema_ compile_ node.c: In function ‘lys_compile_ node_’: /./src/ schema_ compile_ node.c: 2438:19: warning: ‘list’ may be used uninitialized in this function [-Wmaybe- uninitialized] /./src/ schema_ compile_ node.c: 2426:28: note: ‘list’ was declared here
../..
../..
[Duplication]
- There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems:
- package does parse data-formats
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubunt...