[MIR] Promote puma to main as a pcs dependency

Review for Package: src:puma

[Summary]
puma is a HTTP1.1 server suited for ruby integration (like with pcs).
It seems to be the most popular and production ready alternative,
besides ruby-webrick and thin. Being a web server this is very security
sensitive and has seen many CVEs in the past. Also, the server team
already maintains ruby-webrick in main, which we should get demoted
in the future. The packaging of puma should be updated to the new 6.x
upstream release.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: puma
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 The server team should formulate a plan of how to migrate
   from ruby-webrick to puma for its currently supported packages
   so we can demote ruby-webrick in the future (or comment on why
   this isn't possible)

Required TODOs:
#1 merge new major upstream release 6.x (at least I'd like to see a
   merge from Debian experimental, ideally even the very recent 6.1
   upstream release), hopefully before feature freeze
#2 get ruby-nio4r promoted (LP: #2006464)

Recommended TODOs:
#3 The package should get a team bug subscriber before being promoted
#4 both ruby-webrick and puma will be owned by the Server team.
   puma seems to be superior, can we forumlate a plan of demoting
   ruby-webrick and migrating its reverse-dependencies to puma?
#5 fix OpenSSL deprecation warnings in mini_ssl.c (upstream)
#6 improve flaky test situation
   (especially if it can lead to FTBFS, see Debian bugs below)
#7 improve on some lintian hints (see below)
#8 keep on improving and resolving the s390x test situation

[Duplication]
Problems: There is ruby-webrick in main providing the same functionality.
ruby-webrick seems to be more of a demo/development server, whereas puma seems
to be the much better and more popular choice for production use cases:
https://www.ruby-toolbox.com/categories/web_servers

There are also other HTTP servers in main, like apache. Please see the
discussion in the (deprecated) "thin" MIR for why we won't consider them
duplicates for this use case (the same arguments still hold):
https://bugs.launchpad.net/ubuntu/+source/thin/+bug/1990582/comments/1

Other suspicious packages check (not in main, but ruby-webrick):
rmadison -c main {ruby-async-http,ruby-faye-websocket,ruby-ftw,puma,thin,ruby-webrick,thin}
 ruby-webrick | 1.7.0-3 | jammy-updates | source, all
 ruby-webrick | 1.7.0-3 | kinetic | source, all
 ruby-webrick | 1.7.0-4 | lunar | source, all
 ruby-webrick | 1.8.1-1 | lunar-proposed | source, all

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- other Dependencies to MIR due to this: ruby-nio4r (LP: #2006464)

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints ...

Replying to Lukas comments:

#0: I do not think we should demote ruby-webrick, in practice, ruby-webrick is not used in production systems but it is heavily used in tests and very basic scenarios. Moving all packages depending in ruby-webrick to puma would not be easy nor maintainable in a long term. Many packages are still relying o ruby-webrick because it was part of the standard ruby library not so long ago. In short, I believe we should keep both in main (ruby-webrick and puma), I wouldn't say they support the same use cases.

#1: puma 6 is not supported by the current rails version we have in the archive. For now, I'll be merging the latest version in debian unstable. Once debian is released the rails 7 transition will start and we will be able to move to puma 6.

#2: Waiting for review.

#3: I am going to subscribe the server team.

#4: As I mentioned in #0 let's not demote ruby-webrick, they do not cover the same use cases. Moreover, libruby3.1 depends on ruby-webrick (also ruby-ethon which is part of the pcs MIR), which would pull it into main.

#5: Those fixes are present in version 6. I would prefer to wait for version 6 instead of maintaining big patches in the source package, would that be OK? If not we can try to apply the patches in the version we have.

#6: We and debian maintainers have been in touch with upstream to improve the situation of those flaky tests. In general, it is hard because our builders have some specific constraints and set of resources which is different than debian and the expectation of the upstream maintainers. I'll keep pushing this.

#7: I'll try to fix them.

#8: The test failure in s390x does not seem to get much traction with upstream, they do not have the hardware to debug it. Not sure exactly how to push this forward. At least this is a single test failure.

I reviewed puma 5.6.5-3ubuntu1 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> A Ruby/Rack web server built for parallelism

- CVE History:
  - 9 past CVEs (not 12)
    - CVE-2019-16770, CVE-2020-5247, CVE-2020-5249, CVE-2020-11076, CVE-2020-11077, CVE-2021-29509, CVE-2021-41136, CVE-2022-23634, and CVE-2022-24790
    - https://github.com/puma/puma/security/advisories
    - most are HTTP protocol implementation errors
  - security related issues in History.md
  - project has a Security Policy and publishes Security Advisories \o/
  - upstream has a history of making security patches for the current and previous major version \o/
  - GitHub issue and PR tracker are well maintained
  - https://github.com/puma/puma/issues/2789 needs to be resolved
  - Puma::MiniSSL is middleware for OpenSSL
    - https://github.com/puma/puma/issues/2188
    - "Puma has not active maintainer for it's Java code."
  - note that https://github.com/puma/puma/issues/2081 is not inherently a security issue
- Build-Depends?
  - lunar main
     - debhelper-compat (debhelper)
     - curl
     - libssl-dev (openssl)
     - rake
     - ruby-minitest-stub-const (ruby)
  - lunar universe
     - gem2deb
     - ruby-nio4r (in MIR)
     - ruby-ffi (in MIR)
     - ruby-localhost
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - ./lib/puma/systemd.rb
  - initiliazes Puma by triggering Puma::Events to manage Puma:Server
  - SdNotify.watchdog optionally implemented for keep-alive notifications
  - intervable can be set with ENV WATCHDOG_USEC
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - ./usr/bin/puma
  - ./usr/bin/pumactl
  - ./usr/lib/x86_64-linux-gnu/rubygems-integration/3.1.0/gems/puma-5.6.5/bin/puma
  - ./usr/lib/x86_64-linux-gnu/rubygems-integration/3.1.0/gems/puma-5.6.5/bin/pumactl
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - contains build tests
    - some tests are, reasonably, skipped for missing optional dependencies
    - two tests skipped for "failing in Ubuntu autopkgtest env"
      - looks o-k from changelog notes
  - arm64 no longer passes autopkgtests as reported in initial MIR
- cron jobs?
  - none
- Build logs:
  - nothing beyond MIR Team's lintian findings

- Processes spawned?
  - JRuby exec ignored for MIR
  - Puma::Launcher's use Kernel.exec() is assumed to have trusted input
    - exec set with Puma::Configuration options or ran for bundler
  - Puma::Rack arguments, --eval and --builder, are also assumed to have trusted input
- Memory management?
  - most memory use is standard Ruby, but Puma's MiniSSL contians C code in ./ext/puma_http11/
  - malloc, free, and memcpy use appear safe
- File IO?
  - quite a bit of Ruby file IO -- appears okay in input is trusted
  - chmod and chown in binder looks safe
  - see temp section below
- Logging?
  - mostly defined in Puma::CommonLogger and Puma::ErrorLogger which other files build on
    - Puma::CommonLogger attempts to use built in logger, but it appears other loggers like Rack::CommonLogger
    - Puma::ErrorLogger appears t...

Showing up in component mismatch now as planned.

Promoted together with the full PCS stack, details see https://bugs.launchpad.net/ubuntu/+source/pcs/+bug/1953341/comments/13