MIR: pollinate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pollen (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This is a main inclusion request for the binary package pollinate, within the pollen source package.
1. Availability: The package is in universe and builds on all supported architectures.
2. Rationale: The pollinate package should be seeded in the Ubuntu cloud/server images, such that Ubuntu cloud instances can concatenated an unpredictable seed for their prng from one or more external sources.
3. Security: The Ubuntu security team is reviewing the design/
4. QA: The package works out of the box. It's easy to customize the configuration, in all the normal places. There are no debconf questions. There are no open bugs. The package is well maintained (by yours truly). The server package is enhanced by entropy hardware (which, though perhaps exotic, is not required). The server package ships and installs a nagios check, which is a functional test. A Debian watch file is not needed.
5. UI: This is not a desktop tool. The command line utility uses typical Ubuntu UI standards.
6. Dependencies: The dependencies are curl (already in main), and run-one (which itself is awaiting an MIR approval, should be trivial, only needed a DEP-5 copyright file, which is now fixed, see LP: #888770).
7. Standards compliance: This package makes correct use of FHS and Debian policy.
8. Maintenance: I will be actively maintaining this package (and I think I have a good track record of doing so to date). Moreover, I'm happy to share this maintenance with the Ubuntu server, cloud, or security teams, if desired.
9. Background info: The package description, manpages, and README should do a sufficient job explaining its design, implementation, and usage.
information type: | Private → Public |
Changed in pollen (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in pollen (Ubuntu): | |
assignee: | Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold) |
Changed in pollen (Ubuntu): | |
assignee: | Seth Arnold (seth-arnold) → nobody |
Changed in pollen (Ubuntu): | |
status: | Fix Released → New |
Changed in pollen (Ubuntu): | |
status: | New → Fix Committed |
I reviewed pollen version 3.6-0ubuntu1 as checked into trusty. This
shouldn't be considered a full security audit, nor an audit of the design,
but rather a quick gauge of code quality.
- pollinate provides an entropy server and client, designed to combat
low-entropy on systems after early install
- The client runs at boot and periodically via cron
- The server runs at boot
- Build-depends upon autotools and friends
- Server depends upon golang-go compiler, the pollen server is recompiled
every time it is started
- Server recommends haveged, pollinate, ent
- Client depends upon run-one and curl
- Client suggests pollen-server and ent
- Uses Go's HTTPS libraries, server runs a self-contained web server
- Server:
- listens on configurable ports for TLS and non-TLS
- runs as user root
- Does not daemonize, expects to be managed with upstart or similar
- Client:
- Runs a script at boot and via cron to connect to servers using curl
and store results into /dev/urandom
- runs as user root during boot
- runs as user daemon during cronjobs
- Postinst scripts look broken, details below
- Initscripts start server and client at boot
- No dbus services
- No setuid executables
- 'pollen' and 'pollinate' binaries installed into /usr/bin
- No sudo fragments
- No udev rules
- No test suite
- Client supplies a cron file:
- Runs randomly selected number of times per day, from 1440 to 24, to
periodically reseed the client's entropy pool; slight bug.
- Should not be needed
- May present privacy intrusions beyond what would be welcomed by the
user community
- Build logs are clean -- compiles happen at run time
- No subprocesses are spawned from the server; the client is a shell lib/pollinate/ tag
script, so spawns dozens, but the code looked clean
- No real memory management; the server's http handler is quite small and
allocates only stack memory
- Files are written to -- /dev/urandom in both client and server; the
server postinst creates a key and a certificate in /etc/pollen; the
client postinst creates a unique machine identifier in
/var/
- Server-side logging stores the supplied User-Agent string verbatim
without stripping or encoding newline and ] characters, which could
complicate log analysis
- No environment variables are used
- No privileged operations as used
- Encryption use is encapsulated in golang HTTPS support and curl
- Certificate validation is left up to curl
- There is no management of privileges
- All temporary files explicitly managed by the programs are handled
safely
- No WebKit
- No PolicyKit
The code quality of pollen and pollinate is high; maintenance should be
straightforward.
There are a few small issues I'm reporting here because I know Dustin is
eager for feedback and wants to address everything he can:
- is dh_installinit functioning correctly? both pollinate and pollen
postinst have sections like the following:
[...] d/pollen" ] || [ -e "/etc/init/ pollen. conf" ]; then pollen. conf" ]; then
# Automatically added by dh_installinit
if [ -x "/etc/init.
if [ ! -e "/etc/init/
update-rc.d pollen defaults >/dev/null
fi
invoke-rc.d pollen start || exit $?
fi
# End a...