[MIR] open-isns

There's a subscriber and the package generally looks fine; modulo looking to see if tests can be run at build time.

However, since this is for iSNS, name services tend to be security-sensitive and there is some CVE history (not for open-isns specifically, but...) for iSNS on Linux (for tgt specifically); I would like there to be a security review.

On Fri, May 12, 2017 at 1:00 PM, Mathieu Trudel-Lapierre
<email address hidden> wrote:
> There's a subscriber and the package generally looks fine; modulo
> looking to see if tests can be run at build time.

I've got a patch locally that does seem to do this, but the tests
fail, because I think they require open-isns-server (specifically
isnsd and its configuration files) to be installed. So I'm not sure we
can run them during the build properly.

But we should run the self-tests in an autopkgtest (which I don't
think currently is happening). I will work on that at least.

> However, since this is for iSNS, name services tend to be security-
> sensitive and there is some CVE history (not for open-isns specifically,
> but...) for iSNS on Linux (for tgt specifically); I would like there to
> be a security review.

Agreed.

The linked MR adds a DEP8 test (which passes locally on amd64) for the upstream test suite. I've asked for Mathieu to review it before I upload, but it does seem sane (I've pushed all the upstream changes upstream as GitHub PRs as well) -- I had to skip one test, because I really don't understand what it's trying to do (and it might rely on something from microsoft).

Hi,

I'm one of the Debian Maintainers of open-isns and I just saw this bug here because I saw the upstream pull request for the fixes to the test suite. First of all: thanks for improving the package. The main reason I've packaged that is because it was split out of open-iscsi, and I'm not really a user of iSNS itself.

I would like to keep any diff between Debian and Ubuntu to a minimum - ideally there'd be no diff at all. I'd also be happy to include any Ubuntu-specific changes in the upstream Debian package. The upstream test suite you've added to DEP-8 appears to be something that would also be useful to run in Debian. If it's OK with you I'd like to review the changes you made in this regard and include them in the Debian package itself.

Apart from that: a short comment on what you wrote in the "Quality Assurance" part of this report:

> * No debconf questions are asked during installation.

This is not entirely true: no debconf questions are asked when installing the library packages themselves in the current Debian package, but because how the software works, the discovery daemon (pkg:open-isns-discoveryd) and the server itself (pkg:open-isns-server) will indeed ask debconf questions on installation and removal. That said: if you have any ideas how to handle that without debconf questions, I'd be open to hearing that. (In Debian we're now at the beginning of the next release cycle, so it'd be no problem at all to change the behavior.)

Regards,
Christian

On 21.06.2017 [04:32:18 -0000], Christian Seiler wrote:
> Hi,
>
> I'm one of the Debian Maintainers of open-isns and I just saw this bug
> here because I saw the upstream pull request for the fixes to the test
> suite. First of all: thanks for improving the package. The main reason
> I've packaged that is because it was split out of open-iscsi, and I'm
> not really a user of iSNS itself.

Of course! To be honest, neither am I, beyond knowing what the
technology is supposed to do :)

> I would like to keep any diff between Debian and Ubuntu to a minimum -

100% on board. To be clear, my next step once I get the change into
Ubuntu was an immediate submittodebian (and also why I sent it upstream
first, I'm hoping I can prod Lee to do a new release with the passing
test suite).

> ideally there'd be no diff at all. I'd also be happy to include any
> Ubuntu-specific changes in the upstream Debian package. The upstream
> test suite you've added to DEP-8 appears to be something that would also
> be useful to run in Debian. If it's OK with you I'd like to review the
> changes you made in this regard and include them in the Debian package
> itself.

Yep, absolutely! Like I said above, that was my plan as well. I see no
benefit to Ubuntu running tests that Debian doesn't :)

> Apart from that: a short comment on what you wrote in the "Quality
> Assurance" part of this report:
>
> > * No debconf questions are asked during installation.
>
> This is not entirely true: no debconf questions are asked when
> installing the library packages themselves in the current Debian

You are right, I should have made that more clear. The only binary
packages that need to be in main for this MIR are: libisns-dev
libisns-nocrypto0-udeb libisns0 as documented at
http://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.
The open-isns daemon/server packages will continue to live in universe.

> package, but because how the software works, the discovery daemon (pkg
> :open-isns-discoveryd) and the server itself (pkg:open-isns-server) will
> indeed ask debconf questions on installation and removal. That said: if
> you have any ideas how to handle that without debconf questions, I'd be
> open to hearing that. (In Debian we're now at the beginning of the next
> release cycle, so it'd be no problem at all to change the behavior.)

I'm happy to take a look at this, though! I'll put it on my backlog to
look at this cycle :)

Since this code was in main as part of the open-iscsi package in xenial, the security team is going to ack it without requiring a full review.

There's some work being done to include the tests in DEP-8 or otherwise, so I think we're good to move open-isns to main now; MIR approved.

promoted