[MIR] fdk-aac-free

I apologize for the delay. I added the manual test case now since the first release of gnome-remote-desktop with this feature was just released.

This is a lower priority than our other desktop MIRs for Ubuntu 22.10.

Status changed to 'Confirmed' because the bug affects multiple users.

Review for Package: src:fdk-aac

[Summary]
fdk-aac is a high quality and (arguably?) open source AAC codec from Fraunhofer
IIS. The OSS license does not cover certain patented functionality. The package
is in good shape and can be used for gnome remote desktop sharing.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: aac-enc, libfdk-aac2
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
- AA to check the license/patent situation, see https://bugs.debian.org/981285
- Parses data formats (audio) from an untrusted source, therefore I'll assign
  ~ubuntu-security for a review.

Required TODOs:
#0 Upstream does not provide a test-suite, but please add any type of automated
testing in addition to the manual test plan. At least something simple like this:
https://sources.debian.org/src/libxcb/1.15-1/debian/tests/build/?hl=2#L2 to
verify the lib is installed correctly and can be linked against.

#1 And maybe some additional testing using acc-enc to covert a simple .wav
to .acc, verifying the checksums.

Recommended TODOs:
#2 The package should get a team bug subscriber before being promoted
#3 does NOT have a non-trivial test suite that runs as autopkgtest:
=> Manual test plan provided: https://wiki.ubuntu.com/DesktopTeam/TestPlans/RemoteDesktop
#4 Some of the lintian remarks seem easy enough, we could try to help Debian with those:
I: fdk-aac source: older-debian-watch-file-standard 3 [debian/watch]
I: libfdk-aac2: symbols-file-missing-build-depends-package-field libfdk-aac.so.2 [symbols]
I: fdk-aac source: quilt-patch-missing-description [debian/patches/add_more_arch]
#5 Try to help upstream with some of the build time warnings:
warning: macro "__DATE__/__TIME__" might prevent reproducible builds [-Wdate-time]
warning: type '...' violates the C++ One Definition Rule [-Wodr]

[Duplication]
There is no other package in main providing the same functionality.
There are several AAC encoders available in Ubuntu, but non in main so far.
FDK AAC seems to be the highes quality option and therefore a good choice.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), e...

Hello, this is just a note that the security team is unlikely to review this in time for 22.10. Sorry.

I'm unassigning Security. I am going to repackage Fedora's version of fdk-aac soon so it's probably best to not put in more work here until that is done.

The Lintian warnings have been cleaned up. debian/upstream/metadata is pointing to the Gitlab fork which does not have bug tracking enabled.

I: fdk-aac-free source: adopted-extended-field (in section for source) XSBC-Original-Maintainer [debian/control:5]
I: aac-enc: possible-documentation-but-no-doc-base-registration
I: fdk-aac-free source: upstream-metadata-missing-bug-tracking [debian/upstream/metadata]
P: fdk-aac-free source: maintainer-manual-page [debian/aac-enc.1]

This should be unblocked for security review, while jbicha will work to resolve the #0 & #1 MIR testing requirements in parallel.

I have added an autopkgtest for fdk-aac-free based on a new fdk-aac test that they run in their CI which tests different ways of encoding and decoding AAC files.

The autopkgtest is not using checksums because the checksums vary on every architecture and I am not certain that they would not change when ffmpeg changes.

I updated the bug description to mention that autopkgtests are provided and are passing now.

Hi

I started to work on the security review for fdk-aac-free. I have not finish with the review yet but I wanted to point already out that there has not been any activity in [fdk-aac-stripped](https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped) for almost two years. Even this simple [merge request](https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/-/merge_requests/2) (to document which parts have been stripped and add a sentence about the Fedora legal team review will) has been waitingfor 7 months with no response.

That makes fdk-aac-free to look basically unmaintained, raising potentially serious maintenance concerns for us.

Jorge, thank you for your work here and comment.

The ultimate upstream source is https://github.com/mstorsjo/fdk-aac which had a release recently. I think we need to manually merge the new version if Fedora's fork is not going to be maintained.

Could fdk-aac-free be brought up to date for review? That would resolve the maintainability story.

Mark and Jorge, I reached out to Fedora to ask them to update but I don't expect action will happen soon enough for our needs.

The Ubuntu Desktop team can likely rebase fdk-aac-free to 2.0.3 but we don't have time to do it this week.

The upstream chain for fdk-aac-free is precarious.

The Debian package fdk-aac-free watches https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version specifically removes the HE (High Efficiency) and HEv2 profiles which have patent concerns (see README.fedora).

This version does not regularly sync from upstream: https://sourceforge.net/projects/opencore-amr/ Note that https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's code distributed on https://android.googlesource.com/platform/external/aac

Jorge has reported a potential vulnerability to https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's VRP. Android responded saying that they require a PoC and directed Jorge to https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with-negligible-security-impact#unreachable-bugs

fdk-aac-free is not being maintained by syncing with upstream which may contain security patches. Reporting issues about fdk-aac has so far been fruitless.

Security could conclude our MIR now, but I suggest that fdk-aac-free is reviewed next cycle if the owning team plans to work with fdk-aac-free. Note that Fedora is also invested in fdk-aac-free and may share concerns if made aware.

Side note: iiuc, the advantage of fdk-aac is that it works well on low resource systems, like cell phones and possibly for remote desktop. This advantage may not exist if HE profiles are stripped. If that is the case, there are aac alternatives.

It's on the security team's todo list to try to bring issues discovered during the MIR to the attention of the Fraunhofer team. Hopefully they'll be more receptive than the Android team.

It sounds like there are open questions if this is actually useful for us; is the version without the efficiency codecs actually solving a problem?

Thanks