[MIR] realmd

[Summary]
This package is acceptable for MIR, with 2 concerns:

1) There has been no upstream release in years and neither Debian nor
   Ubuntu has actively pulled upstream bug fixes since the last upstream
   release. I would prefer to see more upstream bug fixes pulled into
   the Debian (and/or Ubuntu) package. Obviously, it would also be good
   for upstream to produce a new release, but that's out of scope here.
2) The 'realm' command may install other packages (e.g. adcli or samba)
   as needed, which is not ideal; I would prefer needed packages are
   added as actual dependencies. However, since needed packages can
   vary based on configuration (i.e. adcli or samba), it is arguably
   ok to attempt to install only needed deps from the 'realm' command.
   I would prefer if all packages that might be installed are listed
   as Recommends: so it's clear from the packaging perspective.

This does need a security review, so I'll assign ubuntu-security after
the next MIR team mtg, if the team agrees with my review.

Notes/TODOs:
As I'm new to the MIR team, I am making this approval conditional on
MIR team review of my review at the next MIR team mtg.

[Duplication]
- There is no other package in main providing the same functionality
  - Note: it is possible perform manual configuration/steps for
    similar functionality; this package automates and simplifies much
    of the manual work.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - does have Build-Depends: in universe, but all runtime deps are in main
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
  - Note, see Upstream red flags section
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does parse data formats
- does run a daemon as root
- does deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
    - added forced error to src pkg to verify
- The package has a team bug subscriber
  - MIR requestor is subscribed to all realmd bugs in Ubuntu
- translation is present
- not a python package, no extra constraints to consider int hat regard
  - does include a single python3 script, but used only for build testing
- no new python2 dependency
- not golang package

Problems:
- does not have a test suite that runs as autopkgtest
  - this is probably ok, since there are build-time tests run, and this
    is a relatively simple package

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
  - does not provide any libs
- d/watch is present and looks ok
- the current release is packaged
  - However, as noted in Problems, last upstream relase was ~3.5 years ago
- promoting this does not seem to cause issues for MOTUs that so far
  maintained...

Follow up:

After discussion with MIR team, the issues I identified do need to be addressed, specifically:

1. While we can't force upstream to create a new release, we can pull upstream bug fixes, which I feel should be done. Preferably in Debian, but at minimum upstream bugfix commits should be added to the Ubuntu packages and a Debian bug opened.

2. I believe the realmd package should have any packages that it might 'auto-install' listed in its Recommends:

Additionally, MIR does require that a reliable team does need to subscribe to all the package's bug reports.

And to clarify, after the above is addressed, this still does need a security review.

Having used realmd while updating the Ubuntu Server Guide, I must say it's a very useful tool, and I wouldn't want to join an Active Directory domain without it (and adcli).

This still needs server team agreement for ownership (per comment 2), but while that's being evaluated I'll put this on the security team, to review in parallel.

Ubuntu server is subscribed.

I reviewed realmd 0.16.3-3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

realmd automates configuring kerberos, ldap, sssd, ipa, etc on the system,
and provides a dbus interface and command line tool.

- CVE History:
  - one cve in our database, CVE-2015-2704, only open in trusty
- Build-Depends: debhelper,
               intltool,
               libglib2.0-dev,
               libkrb5-dev,
               libldap2-dev,
               libpolkit-gobject-1-dev,
               libsystemd-dev,
               pkg-config,
               python3:any,
               xmlto,
               xsltproc
- pre/post inst/rm scripts only automatically added sections
- no init scripts
- systemd unit is dbus activated
- no setuid binaries
- realm binary in PATH
- no sudo fragments
- polkit file allows anyone to discover realms, requires admin account to
  join or part realms, or change local machine login policy
- no udev rules
- extensive tests run during the build
- no cron jobs
- clean build logs

- Spawns processes, given in a configuration file; looked safe
- Memory management is typical glib / freedesktop style, looked safe
- File IO
  - I believe paths to files are constructed dynmically, stored in a
    hashtable at runtime, it's a bit hard to follow
- logging looked careful
- Environment variables PATH, REALM_DEBUG, REALM_PERSIST, LOGNAME are used
  where they make sense, seeemed to be handled well
- No privileged syscall use
- Does not itself do cryptography
- Use of temp files?
  - only temp files are in test code
- Use of networking?
  - very little networking itself, the use of unix sockets for internal
    use, and use of a tcp socket for ldap, looked safe.
- No webkit
- Use of PolicyKit?
  - provides a policykit backend, uses
    polkit_authority_check_authorization_sync() with the flag requesting
    user interaction
- cppcheck results look like false positives
- coverity not checked
- shellcheck not relevant

realmd is a typical freedesktop program written with glib -- it's
abstracted enough that it's a little difficult to follow and get the
overall flow of the program, but every individual line looks fine. Errors
are handled throughout, there's good comments where they help, etc.

It's not my favourite coding style but it is professionally developed and
looks up to task.

I also don't love the packagekit integration: packagekit upstream has
declared it's reached an end, and I'd rather someone configuring their
system for an environment have chosen their packages themselves.

However these aren't deal-breakers.

Security team ACK for promoting realmd to main.

Can someone double-check the function realm_samba_winbind_configure_async()?
I'm afraid the idmap uid, gid, ranges may not be appropriate on
debian/ubuntu systems.

Bug filed while reviewing:

https://gitlab.freedesktop.org/realmd/realmd/-/issues/27

Thank you all, MIR Ack, Security Ack and bug subscription is present - this is ready for promotion as soon as the seed was modified to pull it in.
The same applies to the sibling bug in 1868159

$ ./change-override -c main -S realmd
Override component to main
realmd 0.16.3-3 in groovy: universe/admin -> main
realmd 0.16.3-3 in groovy amd64: universe/admin/optional/100% -> main
realmd 0.16.3-3 in groovy arm64: universe/admin/optional/100% -> main
realmd 0.16.3-3 in groovy armhf: universe/admin/optional/100% -> main
realmd 0.16.3-3 in groovy ppc64el: universe/admin/optional/100% -> main
realmd 0.16.3-3 in groovy riscv64: universe/admin/optional/100% -> main
realmd 0.16.3-3 in groovy s390x: universe/admin/optional/100% -> main
Override [y|N]? y
7 publications overridden.