Comment 3 for bug 2004449

Revision history for this message
Christian Ehrhardt  (paelzer) wrote (last edit ):

Review for Package: libde265

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs. This is a bit closer than usual, but since
we have time you can work with upstream on those issues.

This does need a security review, so I'll assign ubuntu-security.
@security - please have a look at the past CVEs, it seemed to me some were
handled slowly, many are still open is that a concern?

List of specific binary packages to be promoted to main: libde265-0, libde265-dev
Specific binary packages built, but NOT to be promoted to main: libde265-examples

Required TODOs:
#1 - Strictly speaking de256 has an encoding functionality, if there would be a
  chance could we use it for both and ignore x265 (or vice versa)?
  Could someone please engage with upstream if that is possible/feasible
  and either modify it to work that way or state and refer to the reasoning
  why it can't work well here?
  Also more common libs like ffmped/libavcodec do this, but they are not in main either :-/
#2 - this lacks build and autopkgtests, please add both to add some to make
  this properly covered and spot issues early on.
#3 - upstream releases are fine, but sporadic. Please confirm that you are ok
  to cover work that might happen due to another downtime of year(s) and that
  you are confident and comfortable to own this package despite that.

Recommended TODOs:
#4 - Lintian warnings https://udd.debian.org/lintian/?packages=libde265
  Could be worth a look to improve on them

[Duplication]
There seems to be no other package in main yet, but one has to wonder x265
AND de265 isn't that too much and duplicate at the current request level?
But while I'd wish we could pick just one, it seems one is better at decoding
and the other at encoding.
From https://github.com/strukturag/libheif:
"libheif makes use of libde265 for HEIF image decoding and x265 for encoding."
de265 was added first, but the git history isn't mentioning in detail why
x265 was added on top other than "for encoding".

While I'd wish we could pick just one, it seems that isn't working well.
I'll add a todo to at least try this and maybe disuss it upstream.
=> There is no other package in main providing the same functionality (kind of).

[Dependencies]
OK:
- libheif will depend on libde265-0 which has no further dependencies outside
  of main
  -> no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion (libde265-dev has just
  libde265-0 as dependency)
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does parse data formats (images) from untrusted sources
  And that has been an attack vector in the past.
- history of CVEs does look concerning, there was just one CVE but it took
  ~2 years to close it and even then the references weren't updated.
  Furthermore there seem to be just "30 CVEs" fixed in the last version. Might
  be a coincidence, but that is much.
  And there seem to be 35 more open except in the most recent version
  according to
  https://security-tracker.debian.org/tracker/source-package/libde265
  This could be just a red herring with one underlying cause responsible
  for all these issues, but I'd like security to have a look anyway, they will
  know better.

I'd leave the rating of that to the security team, it needs their review anyway.

[Common blockers]
OK:
- does not FTBFS currently
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does not have a test suite that runs at build time
- does not have a non-trivial test suite that runs as autopkgtest

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place it has a few wanrings but on explcitly
  optional symbols
- d/watch is present and looks ok
- Debian/Ubuntu update history is good (matches upstream, and there isn't much
  more one could do)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- Upstream update history is sporadic, there are spikes of 1-4 releases
  in a short time and then nothing for years (like nov 20 -> oct 22).
  That isn't super-bad but indicates that is isn't the most organized
  huge project with regular releases.
- Lintian warnings
  https://udd.debian.org/lintian/?packages=libde265
  Could be worth a look to improve on them

[Upstream red flags]
OK:
- no Errors/warnings during the build (just a few deprecations)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- use of setuid, but ok because TBD (prefer systemd to set those
  for services)
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (not user visible)

Problems:
- usage of allocations, there are a bunch of open "not reproducible" issues
  in regard to allocation, but also issues like
  https://github.com/strukturag/libde265/issues/330
  Individually not super-bad, but together with the CVEs not too great either.