mate-menu package needs updating

mate-menu (5.6.2-0ubuntu1) vivid; urgency=medium is in changelog and doesn't appear to have been landed in vivid.

Also, I'm a bit concerned about what some of the entries mean in changelog:
+ + Removed package management features.
+ + Removed useless imports and dead code.
+ + Refactored some os.system() calls to Pythonic equivilents.

Given that it's past Feature Freeze, we need to make sure all the changes are indeed bugfixes, and removal of features sounds a bit like a feature :)

There is a Shell Command Injection vulnerability in the version of MATE Menu currently residing in the official Ubuntu archive. This issue is described here:

  * https://bugs.launchpad.net/ubuntu-mate/+bug/1422402

mate-menu 5.6.2 directly addresses the issue above, but as you point out was not released in Ubuntu. Should I change the entry for mate-menu 5.6.2 in the changelog to UNRELEASED?

However, after doing a code review I found other exploitable methods in the package management features of MATE Menu.

So I started on mate-menu 5.6.3 and the following changes address the other exploitable code.

  + Removed package management features.
  + Removed useless imports and dead code.
  + Refactored some os.system() calls to Pythonic equivalents.

Personally, I do not think a Menu should be trying to be a package manager, certainly not one that is exploitable. Before removing those features I consulted with the Ubuntu MATE community here:

  * https://plus.google.com/103917631499285627130/posts/jkrMzsC3Brs

The message was clear, most people didn't know the package management features existed and of those that did know about, they didn't use it. So I took the decision to remove an insecure unused feature rather than fix it.

I hope that explains my rationale.

After discussing with Iain Lane I have consolidated the changelog entry, so the unreleased 5.6.2 version is no longer listed.

As requested by Didier Roche I have attached a debdiff for the change between 5.6.1 and 5.6.3.

Perfect, looking good and sponsored, thanks! :)

mate-menu (5.6.3-0ubuntu1) vivid; urgency=medium

  [ Martin Wimpress ]
  * New upstream release.
    + Added translations.
    + Fixed shell code injection. Closes (LP: #1422402)
      + Removed package management features.
      + Removed useless imports and dead code.
      + Refactored some os.system() calls to Pythonic equivalents.
    + Refactored calls to the deprecated commands.getouput().
    + Removed unused icons.
    + Added a single, non-distro secific, icon for use everywhere.
    + Fixed lock screen.
  * debian/copyright:
    + Remove COPYING from copyright.
    + Update copyright attribution for new mate-logo.svg.
    + Update copyright attribution for translators.
    + Remove obsolete entries from copyright.

  [ Mike Gabriel ]
  * debian/control:
    + Add to D (mate-menu): libglib2.0-bin (for glib-compile-schema in postinst
      script). (Closes: #779102).
 -- Martin Wimpress <email address hidden> Fri, 06 Mar 2015 22:03:23 +0000