Main Inclusion Report for svgalib

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/s/svgalib, available for i386 and amd64

2. Rationale:

   • Build dependency of usplash in order to provide high-resolution vesa support
   • Should only include libsvga1 and libsvga1-dev - binaries are unnecessary

3. Security:

   • 3 CVE issues in the past

   • No binaries running as root or suid/sgid, except in svgalib-bin package (not requested for inclusion); however, we generally support all binaries from a source package, so these need to be dealt with.
   • Does not open any port.

4. Quality assurance:

   • Package works out of the box without configuration.
   • Package does not ask any debconf questions higher than priority 'normal'.

   • No showstopper Debian bugs, but lots of hardware specific crashes.

   • Good maintenance in Debian.

   • Upstream is approximately dead, large chunks of the code are rotten
   • Claims (but tends to fail) to deal with ancient hardware which we cannot support.

5. Standards compliance:

   • Meets the FHS, Debian Policy

   • Meets Debian library packaging guide standards.

   • Standard debhelper packaging, custom, but reasonable patch system.

6. Dependencies:

   • All in main.

Comments

<mdz> mjg59: the primary reason we keep it out of main is to prevent nasty suid binaries from creeping in through other packages
<mjg59> mdz: Right
<mdz> mjg59: though the main inclusion process should prevent that just as well nowadays
 except where Debian introduces something without our knowledge
<mjg59> mdz: To be honest, I'd be quite tempted to say that we can't support all of its code
<mjg59> But the chances of anyone actually having hardware old enough that svgalib claims to support it (other than through vesa) is, well, small
<mdz> mjg59: would it be feasible to copy the bits you need into usplash, as with bogl?
<mjg59> mdz: Not in any remotely trivial manner
<mjg59> The build system is a nightmare
* jsgotangco (n=jsg123@ubuntu/member/jsgotangco) has joined #ubuntu-devel
<mdz> I'd like to find a way to let it into main for usplash without exposing us to any potential evils
<mjg59> Sure
<mdz> maybe I'm paranoid; it's probably unlikely that new suid programs are popping up due to svgalib
 in this day and age
 one would hope

Reviewers

MartinPitt: traditionally we support source packages, so the suid-ness should be either removed or thorougly audited. TBH I'm not happy about this package at all, and I feel that a hi-res boot splash does not really justify having to support this package. If this is covered by an approved spec, or mdz explicitly approves this updated report, so be it; otherwise I veto.