[MIR] promote libdbix-simple-perl as a libmail-dmarc-perl dependency
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libdbix-simple-perl (Ubuntu) |
In Progress
|
Undecided
|
Unassigned | ||
Bug Description
[Availability]
The package libdbix-simple-perl is already in Ubuntu universe.
The package libdbix-simple-perl build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64
Link to package https:/
[Rationale]
The package libdbix-simple-perl is required in Ubuntu main for libmail-dmarc-perl.
The package libdbix-simple-perl will not generally be useful for
a large part of our user base, but is important/helpful still
because libmail-dmarc-perl requires it as a runtime dependency
( libmail-dmarc-perl is in the MIR process here: https:/
The package libdbix-simple-perl is required in Ubuntu main through the same scheduled requested
for the libmail-dmarc-perl promotion, since libmail-dmarc-perl depends on it.
[Security]
No CVEs/security issues in this software in the past.
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs.
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...).
[Quality assurance - function/usage]
The package works well right after install.
[Quality assurance - maintenance]
The package is maintained well in Debian/
not have critical/long term open bugs in Ubunto nor in Debian:
- Ubuntu https:/
- Debian https:/
- Upstream https:/
The package has important/old open bugs on upstream , listing them:
- https:/
The package does not deal with exotic hardware we cannot support.
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https:/
dh_auto_test
make -j4 test TEST_VERBOSE=1
make[1]: Entering directory '/<<PKGBUILDDIR>>'
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils:
t/DBIx-Simple.t ..
The package runs an autopkgtest (via autodep8 using 'Testsuite: autopkgtest-
this list of architectures (amd64, arm64, armhf, ppc64el, riscv64, s390x), except on i386 since focal:
https:/
[Quality assurance - packaging]
debian/watch is present and works
debian/control defines a correct Maintainer field: Debian Perl Group <email address hidden>
This package does not yield massive lintian Warnings, Errors
- recent build log of the package: https:/
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libdbix-simple-perl changes: bad-distributio
W: libdbix-
W: libdbix-simple-perl changes: distribution-
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libdbix-
I: libdbix-simple-perl source: out-of-
X: libdbix-simple-perl source: debian-
P: libdbix-simple-perl source: silent-
P: libdbix-simple-perl source: update-
X: libdbix-simple-perl source: upstream-
- Lintian overrides are not present
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules : https:/
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
- No further depends dependencies that are not yet in main
- This has Recommends on three universe packages: libobject-
- libobject-
- libsql-
- libhash-merge-perl: Depends on universe packaga libclone-
- libclone-
- libclone-pp-perl: No further depends or recommends dependencies that are not yet in main.
- libtest-deep-perl: Depends on two universe packages: libscalar-
- libscalar-
- libtest-
- libtest-
- libtext-table-perl: Depends on universe package libtext-
- libtext-
Instead of MIR the above, an option that may be worthwhile would be to move the initial Recommends to Suggests.
[Standards compliance]
This package correctly follows FHS and Debian Policy (4.1.3.).
[Maintenance/Owner]
Owning Team will be Ubuntu Server Team.
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code
This package is not rust based
The package successfully built during the most recent test rebuild: https:/
[Background information]
The Package description explains the package well
Upstream Name is DBIx-Simple
Link to upstream project https:/
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad, except one sync request to update it in 2017.
| description: | updated |
| Changed in libdbix-simple-perl (Ubuntu): | |
| assignee: | nobody → Miriam España Acebal (mirespace) |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| Changed in libdbix-simple-perl (Ubuntu): | |
| assignee: | Miriam España Acebal (mirespace) → nobody |
| assignee: | nobody → Miriam España Acebal (mirespace) |
| assignee: | Miriam España Acebal (mirespace) → nobody |
| description: | updated |
| Changed in libdbix-simple-perl (Ubuntu): | |
| assignee: | nobody → Lukas Märdian (slyon) |
| Lukas Märdian (slyon) wrote | #1 |
| Lukas Märdian (slyon) wrote | #2 |
| Changed in libdbix-simple-perl (Ubuntu): | |
| status: | New → In Progress |
| assignee: | Lukas Märdian (slyon) → nobody |
Review for Source Package: libdbix-simple-perl
[Summary]
This is a higher level abstraction layer to Perl's SQL/database wrapper (libdbi-perl).
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libdbix-simple-perl
Specific binary packages built, but NOT to be promoted to main: None
Notes:
- It passes through SQL statements to the DBI layer from trusted source code,
so I don't feel like this needs security review.
Required TODOs:
#1 other Dependencies to MIR due to this:
* libobject-
* libsql-
* libtext-table-perl binary and source package is in universe
Recommended TODOs:
#2 The package should get a team bug subscriber before being promoted
#3 Upstream & Debian/Ubuntu update history is sporadic
=> Maybe we can do a better job of at least packaging new versions in a timely
manner, once this is in main. There are not too frequent releases upstream.
#4 Lintian hints, which might be worth looking at:
I: libdbix-simple-perl source: out-of-
P: libdbix-simple-perl source: silent-
X: libdbix-simple-perl source: upstream-
[Duplication]
There is no other package in main providing the same functionality.
Some potential duplicates are listed in the command below, most of them in
universe, except libdbi-perl, which is being used by libdbix-simple-perl as
a lower-layer abstraction.
$ rmadison -c main -s mantic {libdbix-
libdbi-perl | 1.643-4 | mantic | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- other Dependencies to MIR due to this:
* libobject-
* libsql-
* libtext-table-perl binary and source package is in universe
[Embedded sources and static linking]
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source. (passing through SQL from trusted source code)
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary ...