main inclusion request for virtuoso

Hi Jonathan,

there was opened the bug "[needs-packaging] virtuoso-opensource" a few days ago. Look here: https://bugs.launchpad.net/ubuntu/+bug/331757 .

sofar|sokai :)

The description "innovative Universal Server platform that delivers an enterprise level Data Integration and Management solution for SQL, RDF, XML, Web Services, and Business Processes." is quite marketing speech, so I'm not quite sure what this package is all about. It sounds like half an OS to me, and we already have plenty of libraries doing all those, so it sounds like a monolithic alternative to those.

What will this be used for? It sounds pretty overdesigned for just an email store (doesn't KDE already have a full-fledged MySQL server for storing all kinds of data?), and if this is also exporting user data stuff to the network it will need a more comprehensive security review first.

It's required for the KDE PIM apps to run, since they depend on the Nepomuk semantic ontology system to work, so it's pretty much essential.

KDE users the RDF store, the rest isn't compiled. It is needed for desktop search and semantik linking. This is an essential part of KDE and has been for some time. virtuoso provides a new backend for features which we depend on.

 subscribe ubuntu-security

This is a highly complex package, does the Kubuntu team commit to
maintaining it?

Jonathan Riddell [2010-01-10 22:57 -0000]:
> KDE users the RDF store, the rest isn't compiled. It is needed for
> desktop search and semantik linking. This is an essential part of KDE
> and has been for some time. virtuoso provides a new backend for
> features which we depend on.

Does it have any network-facing functionality enabled?

Subscribing security team for signing off LTS security support.

Thanks, Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

> does the Kubuntu team commit to maintaining it?

We don't have a choice, this is an essential part of KDE

> Does it have any network-facing functionality enabled?

No

Note that the patch build-sanely.diff prevents much of the source code from compiling

 * Should use system zlib
 * virtuoso-t should be installed in /usr/lib since it doesn't run sanely alone in /usr/bin (and lacks a man page)
 * Config files (*.cfg) are all out of the local directory. virtuoso-t should only be run from a safe location in a user's home directory where no surprise settings can be injected.
 * libsrc/Wi/bif_files.c should be changed to force all the "if (do_os_calls)" checks to fail, regardless of configuration setting. This seems like a dangerous ability for it to have.

There is a lot of memory allocation code, but given how far removed from direct 3rd party data this software will be, I'm relatively comfortable with that. I would, however, expect that this code will need attention during the lifetime of Lucid.

If the above 4 points can be addressed (#3 is actually in nepomuk, I think), this would be okay for main, given that it is a very stripped down version of virtuoso-opensource.

Changes:
 virtuoso-opensource (5.0.12-0ubuntu3) lucid; urgency=low
 .
   * Install to /usr/lib/virtuoso instead of /usr/bin, not a user
     binary
   * Build with --without-internal-zlib and add debian/patches/external_zlib.diff
   * Add no_do_os_calls.diff patch, don't allow do_os_calls

Changes:
 soprano (2.3.70+dfsg.1-0ubuntu3) lucid; urgency=low
 .
   * Add kubuntu_01_config_path.diff, config files in uncontrolled
     directories are insecure
   * Add kubuntu_02_cmakelists.diff to sync CMakeLists.txt with upstream,
     fixes compilation with new librdf version
   * Add kubuntu_03_virtuoso_path.diff for virtuoso which we keep away
     from PATH
   * Recommend virtuoso-server

Great, thanks! This looks good for avoiding potential problems. +1 for main.

promoted