Ubuntu
freeradius package

Merge ~ahasenack/ubuntu/+source/freeradius:oracular-freeradius-replace-radsecret into ubuntu/+source/freeradius:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/freeradius
  3. oracular-freeradius-replace-radsecret
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 4b70aa177d67f3a828ff0a4945f1bf0ca4cd43e1
Proposed branch: ~ahasenack/ubuntu/+source/freeradius:oracular-freeradius-replace-radsecret
Merge into: ubuntu/+source/freeradius:ubuntu/devel
Diff against target: 82 lines (+39/-3)
4 files modified
debian/changelog (+11/-0)
debian/control (+2/-3)
debian/patches/replace-radsecret.patch (+25/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Mitchell Dzurick (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Reporter Pending
Review via email: mp+469508@code.launchpad.net

Description of the change

Replace the radsecret perl script with a bash variant to avoid pulling in two new perl dependencies which are in universe and would trigger a component mismatch.

The bug also has two other python suggestions, but I think this is simpler, bar any glaring security vulnerability. I did ask #security internally for a quick check, Got one +1, waiting on another.

Upstream also suggested in our bug to just drop this script, as it's not used internally by anything else, so that's also an option.

The tools I used in the script (base32, td, dd) are in the coreutils package, which is of priority "required", so no new dependency has to be added to the package.

PPA building at https://launchpad.net/~ahasenack/+archive/ubuntu/freeradius

To post a comment you must log in.
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

Reading the perl function[0] there is error messages indicating checking that enough randomness was gathered (RtlGenRand failed).

/dev/urandom does guarantee non-blocking data, so this should be fine. I just want to point out there is a potential of missing some checks from the perl library, but in this case it should be safe to rely on the device for providing enough data.

[0] - https://manpages.debian.org/testing/libcrypt-urandom-perl/Crypt::URandom.3pm.en.html

Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

Overall this gets my +1 too

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, mitchdz
Uploaders: ahasenack, mitchdz
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Test passed.
Debian asked me if I could send this upstream, otherwise debian is reluctant to take this change.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Upstream PR at https://github.com/FreeRADIUS/freeradius-server/pull/5375.

Even if accepted, it will be a while before a new release, so I'm proceeding with this PR and uploading the package to Oracular.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading freeradius_3.2.5+dfsg-2ubuntu1.dsc: done.
  Uploading freeradius_3.2.5+dfsg-2ubuntu1.debian.tar.xz: done.
  Uploading freeradius_3.2.5+dfsg-2ubuntu1_source.buildinfo: done.
  Uploading freeradius_3.2.5+dfsg-2ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c2b555a..460cd61 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+freeradius (3.2.5+dfsg-2ubuntu1) oracular; urgency=medium
7+
8+ * Don't depend on perl modules from universe (LP: #2073269):
9+ - d/p/replace-radsecret.patch: replace radsecret, which is in perl,
10+ with a Bash variant, to avoid pulling in two new perl dependencies
11+ which are in Universe
12+ - d/control: drop explicit dependency on libconvert-base32-perl and
13+ libcrypt-urandom-perl
14+
15+ -- Andreas Hasenack <andreas@canonical.com> Tue, 16 Jul 2024 16:30:16 -0300
16+
17 freeradius (3.2.5+dfsg-2) unstable; urgency=medium
18
19 * Fix parallel builds
20diff --git a/debian/control b/debian/control
21index 7e6523d..5ac6ab8 100644
22--- a/debian/control
23+++ b/debian/control
24@@ -31,7 +31,8 @@ Build-Depends: debhelper-compat (= 13),
25 snmp
26 Section: net
27 Priority: optional
28-Maintainer: Debian FreeRADIUS Packaging Team <pkg-freeradius-maintainers@lists.alioth.debian.org>
29+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
30+XSBC-Original-Maintainer: Debian FreeRADIUS Packaging Team <pkg-freeradius-maintainers@lists.alioth.debian.org>
31 Uploaders: Mark Hymers <mhy@debian.org>,
32 Sam Hartman <hartmans@debian.org>,
33 Bernhard Schmidt <berni@debian.org>
34@@ -98,8 +99,6 @@ Conflicts: radiusd-livingston, yardradius
35 Depends: freeradius-common,
36 freeradius-config,
37 libfreeradius3 (= ${binary:Version}),
38- libconvert-base32-perl,
39- libcrypt-urandom-perl,
40 ${dist:Depends},
41 ${misc:Depends},
42 ${perl:Depends},
43diff --git a/debian/patches/replace-radsecret.patch b/debian/patches/replace-radsecret.patch
44new file mode 100644
45index 0000000..0cc236d
46--- /dev/null
47+++ b/debian/patches/replace-radsecret.patch
48@@ -0,0 +1,25 @@
49+Description: replace radsecret with a Bash variant
50+ This avoids adding two perl dependencies which are in Universe, and trigger a
51+ component mismatch in Ubuntu.
52+ Use 13 bytes instead of 12, due to
53+ https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269/comments/6
54+Author: Andreas Hasenack <andreas.hasenack@canonical.com>
55+Bug-Debian: https://bugs.debian.org/1076458
56+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/2073269
57+Last-Update: 2024-07-16
58+
59+diff --git a/src/main/radsecret b/src/main/radsecret
60+index 2a03a2e7bc..8b7b5f0abe 100755
61+--- a/src/main/radsecret
62++++ b/src/main/radsecret
63+@@ -1,7 +1,3 @@
64+-#!/usr/bin/env perl
65+-#
66+-# A tool which generates strong shared secrets.
67+-#
68+-use Convert::Base32;
69+-use Crypt::URandom();
70+-print join('-', unpack("(A4)*", lc encode_base32(Crypt::URandom::urandom(12)))), "\n";
71++#!/bin/bash
72++data=$(dd if=/dev/urandom bs=1 count=13 2>/dev/null| base32 | tr 'A-Z' 'a-z')
73++echo ${data:0:4}-${data:4:4}-${data:8:4}-${data:12:4}-${data:16:4}
74diff --git a/debian/patches/series b/debian/patches/series
75index 5dfbaa2..b367578 100644
76--- a/debian/patches/series
77+++ b/debian/patches/series
78@@ -6,3 +6,4 @@ debian-local/0010-version.c-disable-openssl-version-check.patch
79 dont-install-tests.diff
80 snakeoil-certs.diff
81 fix-parallel-build.patch
82+replace-radsecret.patch

Subscribers

People subscribed via source and target branches