Review for Source Package: ubuntu-x1e-settings [Summary] This is a Ubuntu native package shipping specific configuration snippets for hardware enablement of Snapdragon X Elite laptops.
MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does not need a security review, back to "Incomplete" for the reporter to fix the below listed issues. List of specific binary packages to be promoted to main: - hwe-qcom-x1e-meta - ubuntu-x1e-settings - ubuntu-x1e-settings-nogrub Specific binary packages built, but NOT to be promoted to main: <None Notes: #0 No security review needed, as this package is shipping minimalistic config changes, that affect only the specific platform. Required TODOs: #1 Testing story is lacking => please provide specific, written down test plan Can you please build upon (maybe combine?) with the X13s testing? https://git.launchpad.net/ubuntu-manual-tests/commit/testcases?id=75f9f83fe450b9089b225424b7fe430d3aa6063f To have something written down, so that this is tested regularly, maybe extend it, e.g. checking for touchscreen, networking/MAC, bluetooth functionality. And maybe also covering cases of the untested "flash-kernel" and "protection-domain-mapper" dependencies. #2 please explain and give rationale for the "snap channels" in debian/ubuntu-x1e-settings.postinst, as this seems to be swapping out the whole stacks of GNOME/Mesa, which might lead to a different experience than stock Ubuntu. => snap refresh --channel adreno/stable --no-wait gnome-42-2204 => snap refresh --channel beta/kisak --no-wait mesa-2404 Recommended TODOs: #3 The package should get a team bug subscriber before being promoted #4 Consider making this an arch "all" package, as it doesn't seem to ship and arch specific code/binary #5 Fix some of the lintian warnings/suggestions: W: ubuntu-x1e-settings-nogrub: debian-changelog-line-too-long (The given line of the latest changelog entry is over 80 columns.) I: ubuntu-x1e-settings source: duplicate-short-description ubuntu-x1e-settings ubuntu-x1e-settings-nogrub I: ubuntu-x1e-settings source: out-of-date-standards-version 4.6.2 (released 2022-12-17) (current is 4.7.0) X: ubuntu-x1e-settings: package-contains-no-arch-dependent-files X: ubuntu-x1e-settings-nogrub: package-contains-no-arch-dependent-files [Rationale, Duplication and Ownership] - There is no other package in main providing the same functionality. => There is ubuntu-x13s-settings, for similar but different hardware - A team is committed to own long term maintenance of this package. => ~foundations-bugs - The rationale given in the report seems valid and useful for Ubuntu [Dependencies] - no other Dependencies to MIR due to this - SRCPKG checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion => binaries exist for arm64 only (as expected) Problems: - Dependencies in main that are only superficially tested (no dep8) requiring more tests now: protection-domain-mapper, flash-kernel [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not expose any external endpoint (port/socket/... or similar) - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) - this makes appropriate (for its exposure) use of established risk mitigation features (dropping permissions, using temporary environments, restricted users/groups, seccomp, systemd isolation features, apparmor, ...) Problems: - process "arbitrary" web content (debian/ubuntu-x1e-settings.postinst) => snap refresh --channel adreno/stable --no-wait gnome-42-2204 => snap refresh --channel beta/kisak --no-wait mesa-2404 [Common blockers] OK: - does not FTBFS currently - This does seem to need special HW for build or test so it can't be automatic at build or autopkgtest time. But as outlined by the requester in [Quality assurance - testing] there: - is hardware and a test plan or code - no new python2 dependency Problems: - does not have a test suite that runs at build time - does not have a non-trivial test suite that runs as autopkgtest => please provide specific test plan [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control => native Ubuntu package - symbols tracking not applicable for this kind of code. - debian/watch is not present but also not needed (e.g. native) - Upstream update history is (N/A) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: - Debian/Ubuntu update history is (sporadic) => new package - lintian suggestions: W: ubuntu-x1e-settings-nogrub: debian-changelog-line-too-long (The given line of the latest changelog entry is over 80 columns.) I: ubuntu-x1e-settings source: duplicate-short-description ubuntu-x1e-settings ubuntu-x1e-settings-nogrub I: ubuntu-x1e-settings source: out-of-date-standards-version 4.6.2 (released 2022-12-17) (current is 4.7.0) X: ubuntu-x1e-settings: package-contains-no-arch-dependent-files X: ubuntu-x1e-settings-nogrub: package-contains-no-arch-dependent-files [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (the language has no direct MM) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case (user visible)? Problems: - arch "arm64" vs arch "all", it doesn't seem to ship and arch specific binary ** Changed in: ubuntu-x1e-settings (Ubuntu) Assignee: Lukas Märdian (slyon) => Tobias Heider (tobhe) ** Changed in: ubuntu-x1e-settings (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095536 Title: [MIR] ubuntu-x1e-settings To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-x1e-settings/+bug/2095536/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
