[MIR] mailman-suite as dependency of mailman3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mailman-suite (Ubuntu) |
In Progress
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package is already universe for quite a while and build/works fine so far.
It is for example already used for https:/
This source builds only mailman3-web and that is also all we need (no py2).
[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:
Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.
This integrates mailman (core) hyperkitty (archivin) and posotrious (UI) in one place.
[Security]
No known CVEs found.
A few old issues can be found against mailman2 and one (but long fixed) for mailman 3
=> https:/
[Quality assurance]
The mailman3 stacks as of now (Disco) installs fine and provides a base
config. But due to the nature of the package that needs further modification
to be of real use.
The package does ask debconf questions, but only as high as medium.
There are a few (2) very low severity bugs in Ubuntu and some package improvement sugegstion bugs in Debian.
Nothing to stop this from being considered ok.
There are regular upstream releases and Debian packaging it.
No exotic HW involved.
No build time tests, but this is mostly an integrator package.
Tests are runnign as dep8 tests in django-mailman3, mailman3, mailman-hyperkitty, mailman3-core and mailmanclient.
d/watch is set up and ok.
No Lintian warning except fairly recent newer Standards version.
The package does not rely on demoted or obsolete packages.
[UI standards]
Comes with 7 translations in .po files
No End-user applications that needs a standard conformant desktop file.
[Dependencies]
Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.
[Standards compliance]
The package meets the FHS and Debian Policy standards.
The packaging itself is very straight forward and uses dh_* as much as possible - the d/rules fits on one screen.
[Maintenance]
The Server team will subscribe for the package for maintenance
[Background]
The package description explains the general purpose and context of the package well.
Changed in mailman-suite (Ubuntu): | |
status: | New → In Progress |
[Duplication]
This is part of the six core packages of mailman3 that pull in further components as needed.
Since this represents mailman doing mailing list processing there is a duplication to mailman2.
But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package
[Security] /cve.mitre. org/cgi- bin/cvekey. cgi?keyword= mailman
I can confirm that there seems to be no CVE/Security history for this package.
But there is enough for mailman2 (and a bit for 3) that we should expect not (much) less in the future when it becomes more widely used.
=> https:/
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- processes arbitrary web content
- parse data formats
This is the overarching element that pulls together Mailman3 Postorius HyperKitty and UWSGI to provide the mailman3 services on the web.
It actually doesn't do anything on its own, but depends on the right packages and provides a WSGI config for hyperkitty.
It also contains all the default settings for those, therefore I'll mark it for security review as well.
Less for the package itself, but for its role in regard to the other more exposed components.
[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- No tests for itself, but this is mostly integrating other components which are all having autopkgtests as reverse deps
[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is recommended.
Assigning the security Team.