[MIR] argon2

Package looks good, it's a new project so not unusual not to have CVEs in Mitre. There's a team subscriber, package runs tests as part of the build, etc. This looks fine to me, but given that it is a package that would be used to handle keys in cryptsetup, this requires a security review.

now pre-promoted, to fix php uninstallability

Override component to main
argon2 0~20161029-1.1 in bionic: universe/misc -> main
argon2 0~20161029-1.1 in bionic amd64: universe/utils/optional/100% -> main
argon2 0~20161029-1.1 in bionic arm64: universe/utils/optional/100% -> main
argon2 0~20161029-1.1 in bionic armhf: universe/utils/optional/100% -> main
argon2 0~20161029-1.1 in bionic i386: universe/utils/optional/100% -> main
argon2 0~20161029-1.1 in bionic ppc64el: universe/utils/optional/100% -> main
argon2 0~20161029-1.1 in bionic s390x: universe/utils/optional/100% -> main
libargon2-0 0~20161029-1.1 in bionic amd64: universe/libs/optional/100% -> main
libargon2-0 0~20161029-1.1 in bionic arm64: universe/libs/optional/100% -> main
libargon2-0 0~20161029-1.1 in bionic armhf: universe/libs/optional/100% -> main
libargon2-0 0~20161029-1.1 in bionic i386: universe/libs/optional/100% -> main
libargon2-0 0~20161029-1.1 in bionic ppc64el: universe/libs/optional/100% -> main
libargon2-0 0~20161029-1.1 in bionic s390x: universe/libs/optional/100% -> main
libargon2-0-dev 0~20161029-1.1 in bionic amd64: universe/libdevel/optional/100% -> main
libargon2-0-dev 0~20161029-1.1 in bionic arm64: universe/libdevel/optional/100% -> main
libargon2-0-dev 0~20161029-1.1 in bionic armhf: universe/libdevel/optional/100% -> main
libargon2-0-dev 0~20161029-1.1 in bionic i386: universe/libdevel/optional/100% -> main
libargon2-0-dev 0~20161029-1.1 in bionic ppc64el: universe/libdevel/optional/100% -> main
libargon2-0-dev 0~20161029-1.1 in bionic s390x: universe/libdevel/optional/100% -> main
libargon2-0-udeb 0~20161029-1.1 in bionic amd64: universe/debian-installer/optional/100% -> main
libargon2-0-udeb 0~20161029-1.1 in bionic arm64: universe/debian-installer/optional/100% -> main
libargon2-0-udeb 0~20161029-1.1 in bionic armhf: universe/debian-installer/optional/100% -> main
libargon2-0-udeb 0~20161029-1.1 in bionic i386: universe/debian-installer/optional/100% -> main
libargon2-0-udeb 0~20161029-1.1 in bionic ppc64el: universe/debian-installer/optional/100% -> main
libargon2-0-udeb 0~20161029-1.1 in bionic s390x: universe/debian-installer/optional/100% -> main
25 publications overridden.

I reviewed argon2 version 0~20161029-1.1 as checked into bionic. This
isn't a full security audit but rather a quick gauge of maintainability.
Specifically I did not audit the implementation for correctness or
cryptographic security.

- argon2 is the winning entry in a recent "Password Hashing Competition",
  modeled after the AES and SHA-3 competitions, run by the open
  cryptography community. The intention is to make a new password hashing
  algorithm and key derivation function.
- There are no CVEs in our database
- This package provides command line utilities and library suitable for
  direct use.
- argon2 does not daemonize
- no pre/post inst/rm scripts
- no initscripts
- no systemd units
- no dbus services
- no setuid
- argon2 application in PATH
- no sudo fragments
- no udev rules
- a test suite is run during the build
- no cronjobs
- clean buildlogs

- no subprocesses are spawned
- memory management looked careful
- No file IO
- No environment variables
- No privileged operations
- Extensive cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- cppcheck has one false positive
- No PolicyKit

The API to use argon2 functions is more complicated than I'd like. Someone
somewhere is going to misuse this thing because it's too complex.

But the code quality was good.

Security team ACK for promoting argon2 to main.

Thanks