[MIR] libmail-authenticationresults-perl

why is this a separate MIR? It doesn't show up on the MIR tracker. Also you need to assign it to the package which needs promotion.

libmail-dkim-perl v0.54-1 is already in main:
https://launchpad.net/ubuntu/+source/libmail-dkim-perl/0.54-1

but the new v0.56-1 has a new dependency on libmail-authenticationresults-perl:
https://launchpad.net/ubuntu/+source/libmail-dkim-perl/0.56-1

libmail-authenticationresults-perl is available in the universe:
https://launchpad.net/ubuntu/+source/libmail-authenticationresults-perl

That is why this is a new MIR, to hopefully get libmail-authenticationresults-perl into main so that we can upgrade to libmail-dkim-perl v0.56-1.

My apologies for not having this assigned to the right package - this is my first MIR so I'll watch out for that mistake in future MIRs :)

Note that libmail-authenticationresults-perl requires libscalar-list-utils-perl (in universe) so a new MIR for libscalar-list-utils-perl has been opened:
https://bugs.launchpad.net/ubuntu/+source/libmail-dkim-perl/+bug/1854849

Hi Heather,
the MIR bugs are filed against the package that has to be evaluated.
Thanks to your explanations that is clear now and I fixed it up in the bug tasks.

[Summary]
- All looks pretty straight forward, MIR Team ack
- Needs security review (assigned)

[Duplication]
Many libmail-*-perl but no duplicate in main already

[Embedded sources and static linking]
- no embedded sources
- no (static) linking (perl)

[Security]
- no history of CVEs
- no daemon as root
- doesn't use webkit1,2
- doesn't use lib*v8 directly
- doesn't opens a port
- doesn't processe arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- doesn't deal with system authentication (eg, pam), etc)

But it
- parses data formats (the mail auth response)
- it also is a very minor part of authentication in some sort (not system auth at all, but interpreting mail auth)

Parsing headers that can be externally crafted is security sensitive, assigning security for a review as well.

[Common blockers]
- no FTBFS issues
- tests are present and run at build time
- no translation, but also not user visible
- no python package for further constraints on that

[Packaging red flags]
- no Ubuntu delta atm
- perl has no symbols tracking
- d/watch is ok
- regularly updated in Debian
  - but it is rather new since August 2019, so we don't have much data to know that in the long run
- the current release is packaged
- not causing a MOTU problem
- a few, but no massive Lintian warnings
- d/rules is as small as it can be
- no golang constraints to consider
- Desktop team is already subscribed
- no further dependencies not in main

[Upstream red flags]
- no Errors/warnings during the build
- no incautious use of malloc/sprintf
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of User nobody
- no use of setuid
- no known Important bugs (crashers, etc) in Debian or Ubuntu
- no Dependency on webkit, qtwebkit, seed or libgoa-*
- not part of UI design

I reviewed libmail-authenticationresults-perl 1.20180923-2 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. ANY
OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.

libmail-authenticationresults-perl is a parser for Object Oriented Authentication-Results email
headers. It tokenizes the header into a usable set of objects.

- CVE History:
  - I was not able to find any CVE history
- Build-Depends?
  - perl
  - libscalar-list-utils-perl
- pre/post inst/rm scripts?
  - not applicable
- init scripts?
  - not applicable
- systemd units?
  - not applicable
- dbus services?
  - not applicable
- setuid binaries?
  - not applicable
- binaries in PATH?
  - not applicable
- sudo fragments?
  - not applicable
- udev rules?
  - not applicable
- unit tests / autopkgtests?
  - there is a comprehensive test suite
- cron jobs?
  - not applicable
- Build logs:
  - Everything looks fine
- Processes spawned?
  - not applicable
- Memory management?
  - I do not see anything that looks problematic
- File IO?
  - not applicable
- Logging?
  - not applicable
- Environment variable usage?
  - not applicable
- Use of privileged functions?
  - not applicable
- Use of cryptography / random number sources etc?
  - not applicable
- Use of temp files?
  - not applicable
- Use of networking?
  - not applicable
- Use of WebKit?
  - not applicable
- Use of PolicyKit?
  - not applicable

- Any significant cppcheck results?
  - not applicable
- Any significant Coverity results?
  - not applicable

Overall it seems to be cleanly written, organized and well documetned code. Upstream is not very active. 111 git commits between 2017.12-2018.10 and nothing since then. It is maintained in debian testing and unstable though.

Security team ACK for promoting libmail-authenticationresults-perl to main.

Maintained by Debian Perl Group, and has a subscriber. Promoting.

$ change-override -c main -S libmail-authenticationresults-perl
Override component to main
libmail-authenticationresults-perl 1.20180923-2 in focal: universe/misc -> main
libmail-authenticationresults-perl 1.20180923-2 in focal amd64: universe/perl/optional/100% -> main
libmail-authenticationresults-perl 1.20180923-2 in focal arm64: universe/perl/optional/100% -> main
libmail-authenticationresults-perl 1.20180923-2 in focal armhf: universe/perl/optional/100% -> main
libmail-authenticationresults-perl 1.20180923-2 in focal i386: universe/perl/optional/100% -> main
libmail-authenticationresults-perl 1.20180923-2 in focal ppc64el: universe/perl/optional/100% -> main
libmail-authenticationresults-perl 1.20180923-2 in focal s390x: universe/perl/optional/100% -> main
Override [y|N]? y
7 publications overridden.