[MIR] Promote ruby-nio4r to main as a pcs indirect dependency

Review for Package: src:ruby-nio4r

[Summary]
nio4r is a Ruby gem/library that provides asynchronous I/O primitives
for scalable network clients and servers. It is not a full-featured
event framework like EventMachine or Cool.io.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: ruby-nio4r
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 I'm requesting security review, especially for the embedded "libev"
   (and also a bit about the openssl sockets)

Required TODOs:
#1 embedded library source in ext/libev/
   * same version 4.33 is also available as shared library in the
     archive; it should be used instead
   * libev seems to be shipped as source files, please clearify how
     this is being used & if libev from the archive can be used instead

Recommended TODOs:
#2 The package should get a team bug subscriber before being promoted
#3 libev compiler warnings
#4 consider symbols tracking
   * I'm not sure if this is needed or if the .so can only be used internally?)
   * /usr/lib/*/rubygems-integration/*/extensions/*/*/nio4r-2.5.8/nio4r_ext.so
#5 Work with Debian to improve/update some of the lintian warnings (see below)

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems:
- embedded source present: ext/libev/ (same version 4.33 is also
  available as shared library in the archive; it should be used
  instead)
- libev seems to be shipped as source files, please clearify how this
  is being used and if libev from the archive can be used instead

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does open a port/socket
- does deal with cryptography (supports OpenSSL sockets)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test su...

I reviewed ruby-nio4r 2.5.8-2build1 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

ruby-nio4r is an asynchronous I/O library designed to be used to build network
clients or servers. It provides both a pure Ruby implementation, using
Kernel.select as the backend, as well as a backend based on the libev library,
and finally when used on JRuby will wrap the Java NIO subsystem on which this
library is designed.

- CVE History:
  - None
- No encryption / network based Build-Depends
  - Does have a vendored copy of libev based on the upstream 4.33 version of
    libev - captured in the Ubuntu CVE tracker via
    https://git.launchpad.net/ubuntu-cve-tracker/tree/boilerplates/libev?id=d2ddece0a26d2930ac6e714aff3cb3718cd2af9d#n7
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - unit tests are run during the build
  - No autopkgtests
- No cron jobs
- Build logs:
  - Some minor warnings during the build of the vendored libev
```
In file included from nio4r_ext.c:6:
../libev/ev.c:2136:31: warning: ‘ev_default_loop_ptr’ initialized and declared ‘extern’
 2136 | EV_API_DECL struct ev_loop *ev_default_loop_ptr = 0; /* needs to be initialised to make it a definition despite extern */
      | ^~~~~~~~~~~~~~~~~~~
../libev/ev.c: In function ‘evpipe_write’:
../libev/ev.c:2798:11: warning: ignoring return value of ‘write’ declared with attribute ‘warn_unused_result’ [-Wunused-result]
 2798 | write (evpipe [1], &counter, sizeof (uint64_t));
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../libev/ev.c:2810:11: warning: ignoring return value of ‘write’ declared with attribute ‘warn_unused_result’ [-Wunused-result]
 2810 | write (evpipe [1], &(evpipe [1]), 1);
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../libev/ev.c: In function ‘pipecb’:
../libev/ev.c:2831:11: warning: ignoring return value of ‘read’ declared with attribute ‘warn_unused_result’ [-Wunused-result]
 2831 | read (evpipe [1], &counter, sizeof (uint64_t));
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../libev/ev.c:2845:11: warning: ignoring return value of ‘read’ declared with attribute ‘warn_unused_result’ [-Wunused-result]
 2845 | read (evpipe [0], &dummy, sizeof (dummy));
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
  - No LINTIAN FAILURES

- No Processes spawned
- Memory management is ruby ;)
- No File IO
- No Logging
- Uses the NIO4R_PURE environment variable to allow a user to choose a pure ruby
  implementation, rather than relying on the libev based backend
- No use of privileged functions
- No use of cryptography / random number sources etc other than in test code
- No use of temp files
- No use of networking other than in test code
- No use of WebKit
- No use of PolicyKit

- No significant cppcheck results
- No significant Coverity results
- No significant brakeman results
- No significant rubocop results
- No significant shellch...

My comments below regarding Lukas' requests:

#0: Security team already acked the promotion to main in comment #2.

#1: As explained by Alex in comment #2, the embedded version has some changes compared to what we have in the archive, so I'll kindly ask to not make this mandatory for the promotion. FWIW security team will be tracking the embedded version as stated by Alex.

#2: The server team is already subscribed to this package.

#3: I'd not want to make changes in the embedded libev code for now. Since this is recommended, could we skip this?

#4: I do not see a reason to ship a symbols file here, just ruby-nio4r is using it.

#5: I uploaded version 2.5.8-3 of ruby-nio4r to Debian addressing most of the lintian warnings, it should be sync'ed soon.

#0 ACK.
#1 ACK. If it's not a blocker for the security team and the owning team, I'm fine with it, too.
=> Downgrading to a "Recommended TODO".
#2 ACK.
#3 ACK.
#4 ACK.
#5 ACK.

Thanks! This seems ready for promotion.

Showing up in component mismatch now as planned.

Promoted together with the full PCS stack, details see https://bugs.launchpad.net/ubuntu/+source/pcs/+bug/1953341/comments/13