[MIR] libqrtr-glib

Setting as low priority and incomplete, we will eventually want it but we can disable the build option for now. The autopkgtest situation probably needs to be sort out first, also it's unclear what hardware requires it but we haven't see a demand for it yet

libqmi is stuck in jammy-proposed because it added a dependency on libqrtr-glib for the same reasons.

Review for Package: src:libqrtr-glib

[Summary]
libqrtr-glib is a glib-based library to use and manage the QRTR (Qualcomm
IPC Router) bus. It seems to be in a good shape upstream and was included in
Debian/Ubuntu just recently (2022).

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main:
- gir1.2-qrtr-1.0, libqrtr-glib-dev, libqrtr-glib-doc, libqrtr-glib0
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
- libqrtr parses packets received from the modem, so I'm signing it up for a
  security review

Required TODOs:
#1 Can we please define a better testing story for this package?
Both automatic tests provided (build-time & autopkgtests) are only superficial.
I understand that an end-to-end test would require special HW (compatible
qualcomm modem), so we should probably define a proper test-plan to be run
manually every cycle. Can you please provide a test plan/script/log in the
comments below?

Recommended TODOs:
#2 The package should get a team bug subscriber before being promoted
#3 please run `update-maintainer` on the package (or sync once the autopkgtest
is uploaded to Debian).

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - checked with check-mir
  - not listed in seeded-in-ubuntu
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- parses data formats (packets received from the kernel's QRTR socket)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- no new python2 dependency

Problems:
- build-time tests only check the documentation, not the actual library
- only has a superficial test that runs as autopkgtest
- special HW (compatible qualcomm modem) needed to do full end-to-end testing

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
  - also, submitted to Debian: https://bugs.debian.org/1011354
- symbols tracking is in place
- d/watch is prese...

The description has been updated with a simple manual testplan now, which was the required todoitem. We will try to see if we can get some hardware available for that testing

On the other todo items, desktop-packages is subscribed now and we will use update-maintainer on the next upload, that doesn't seem like doing an upload only for that change now though

It should be ready from a MIR perspective pending on the security review

Thanks! MIR team ACK, using the testplan provided in the description.
Please try to get the hardware so the testplan can actually be executed.

I'm fine with deferring `update-maintainer` to the next upload/sync.

I reviewed libqrtr-glib 1.2.2-1ubuntu1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability. I do not have a Qualcomm modem to test this package with.

> libqrtr-glib is a glib-based library to use and manage the QRTR (Qualcomm IPC Router) bus.

- CVE History:
  - none
- build-depends
  - primarily glib2 and linux/qrtr
  - linux-vdso.so.1
  - libglib-2.0.so.0
  - libgio-2.0.so.0
  - libgobject-2.0.so.0
  - libc.so.6
  - libpcre.so.3
  - libm.so.6
  - libgmodule-2.0.so.0
  - libz.so.1
  - libmount.so.1
  - libselinux.so.1
  - libffi.so.8
  - ld-linux-x86-64.so.2
  - libblkid.so.1
  - libpcre2-8.so.0
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - basic build test
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011354
  - see MIR teams testing requirements
- cron jobs?
  - none
- build logs:
  - no build errors or warnings
  - no lintain errors or warnings

- processes spawned?
  - none
- memory management?
  - looks sane
  - no direct use of memory copy functions
- file IO?
  - none
- logging?
  - only debug and error messages using gio
- environment variable usage?
  - none
- use of privileged functions?
  - none
- use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - qrtr-bus.c and qrtr-client.c make heavy use of sockets and gsocket
  - many safety checks--e.g., message lengths and types
- use of WebKit?
  - none
- use of PolicyKit?
  - none

- significant cppcheck results?
  - none
- significant Coverity results?
  - none
  - two false positive resource leaks
    - fd handled by gio's g_socket_new_from_fd
- significant shellcheck results?
  - none
- significant bandit results?
  - none

For security to do updates, owning team needs to make a firm commitment to testing.

Security team ACK for promoting libqrtr-glib to main.

Actually incomplete.
JBicha will check how clsoe we are to get the HW we need for testing to be doable.

why did having the hardware become a requirement now when we got an ack before?

also even if the hardware support is not working as expected how is that worth than not having it available?

I pinged the oem team since we don't have budget to buy hardware for that in desktop but if they can't help does it mean we are stuck to not have the hardware support available for our users just because we don't own similar hardware ourselves?

Sorry, we had to withdraw the initial ACK, as we learned that the hardware to run the manual test plan is not yet available.

This requirement is fairly new, as we started requiring testing around any (new) package in "main", which also applies to the manual test plan, which is already a fallback of the much preferred automated testing story. If a team committed to running the manual test plan, but has no hardware available, the test plan is kind of useless.

The earliest I find for the test plan requirement is 2021-08-31:

https://wiki.ubuntu.com/MainInclusionProcess?action=diff&rev1=43&rev2=44

So yes, it's relatively new.

I've updated the testplan section to give more details about the current situation

There has been not further update for too long, for now we consider it invalid.
Feel free to re-open if there is effort backing it up and motivation to bring it to main.

I'm going to switch that one back to new to be reconsidered in regard of the update MIR template https://github.com/canonical/ubuntu-mir/pull/31 , I've updated the description accordingly.

Thank you Sebastien
to help others not reading or diffing it that means in regard to
- https://github.com/canonical/ubuntu-mir/issues/30
- https://github.com/canonical/ubuntu-mir/pull/31

You have added
"""
We believe we have exercised the different options available to provide testing without managing to find a solution.
We will keep trying to resolve the testing gap but meanwhile we would still like to request for the package to be consider because we can't provide the feature as an opt-in/in universe since it's a build option from modemmanager but not an independent plugin.
Due to the nature, integration and use cases of the package the consequences of a regression that might slip through most likely would be that Qualcomm modems stop working correctly.
"""

To wich with the new ruling we'd answer
"""
This does need special HW for thorough testing, but all options to
get this covered have been exhausted and based on demonstration of
enough investigation and proof of why there is currently no other
option it is accepted as-is as a compromise.
The owning team is committed and aware of the implications for
ongoing maintenance.
"""

Thereby the former back and forth on the testing is resolved (not by having it, but by accepting to be unable to do so for now).

Thereby all open required TODOs are fulfilled and this can be promoted.
As it is not yet showing as component mismatch I'm setting "In Progress" state for now.
Feel free to ping back when this is trying to be pulled in, we should also see it on the MIR team meetings check of mismatches then.

it's on the component mismatch report now

All open tasks and discussions (this had quite some, thank you all that participated) have been done.
Also the subscription was done and it is properly owned by the Desktop team now.
Furthermore as Sebastien said it is not in the component mismatch and ready to be promoted.

Libqmi (which is what pulls in libqrtr-glib) is ready except for this component mismatch.

While qmi is in proposed adding the depend libqrtr is only in noble-release atm

 libqrtr-glib | 1.2.2-1ubuntu2 | noble/universe | source
 libqmi | 1.32.4-2ubuntu1 | noble | source
 libqmi | 1.34.0-2 | noble-proposed | source

Even the -dev and -doc packages are free of further conflicting dependencies and have been approved above, hence promoting it all.

Override component to main
libqrtr-glib 1.2.2-1ubuntu2 in noble: universe/misc -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble amd64: universe/introspection/optional/100% -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble arm64: universe/introspection/optional/100% -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble armhf: universe/introspection/optional/100% -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble i386: universe/introspection/optional/100% -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble ppc64el: universe/introspection/optional/100% -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble riscv64: universe/introspection/optional/100% -> main
gir1.2-qrtr-1.0 1.2.2-1ubuntu2 in noble s390x: universe/introspection/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble amd64: universe/libdevel/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble arm64: universe/libdevel/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble armhf: universe/libdevel/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble i386: universe/libdevel/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble ppc64el: universe/libdevel/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble riscv64: universe/libdevel/optional/100% -> main
libqrtr-glib-dev 1.2.2-1ubuntu2 in noble s390x: universe/libdevel/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble amd64: universe/doc/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble arm64: universe/doc/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble armhf: universe/doc/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble i386: universe/doc/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble ppc64el: universe/doc/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble riscv64: universe/doc/optional/100% -> main
libqrtr-glib-doc 1.2.2-1ubuntu2 in noble s390x: universe/doc/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble amd64: universe/libs/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble arm64: universe/libs/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble armhf: universe/libs/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble i386: universe/libs/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble ppc64el: universe/libs/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble riscv64: universe/libs/optional/100% -> main
libqrtr-glib0 1.2.2-1ubuntu2 in noble s390x: universe/libs/optional/100% -> main
Override [y|N]? y
29 publications overridden.