Comment 2 for bug 2020273

Review for Source Package: cairomm1.16

[Summary]
This is just a continued development of src:cairomm (i.e. v1.14) but introducing a new ABI series 1.16 (vs 1.0 as used by src:cairomm), so it can be co-installed with src:cairomm.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: libcairomm-1.16-1 (& -dev & -doc)
Specific binary packages built, but NOT to be promoted to main: None

Notes:
I couldn't find any previous MIR for src:cairomm (which has been in main for a long time), so this is a full MIR review.

#0: I wonder if there is any plan to demote src:cairomm from "main", in order to avoid the GTK3/GTK4 duplication?

Required TODOs:
#1: depends on MIR for libsigc++-3.0 is LP: #2020272 (resolved as of 2023-06-22)
#2: symbols tracking is not in place (due to being a C++ library, this can be downgraded to a recommendation if proper reasoning is given of why this isn't feasible for this library or how it was tried to fix ABI checker tooling)

Recommended TODOs:
#3: The package should get a team bug subscriber before being promoted
#4: Lintian warnings of interest, might be fixed together with Debian:
I: libcairomm-1.16-1: no-symbols-control-file usr/lib/x86_64-linux-gnu/libcairomm-1.16.so.1.4.0
I: cairomm1.16 source: repackaged-source-not-advertised [debian/copyright]
#5: important open bugs, might be fixed together with Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032457 (nocheck FTBFS)
#6: Build-time warnings, might be fixed together with upstream:
dh_translations: warning: could not determine domain
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".
warning: Tag 'LATEX_SOURCE_CODE' at line 226 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'RTF_SOURCE_CODE' at line 238 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'DOCBOOK_PROGRAMLISTING' at line 258 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'CLASS_DIAGRAMS' at line 310 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"

[Duplication]
There is another package in main providing the same functionality.
The same package but different version is in main.
However we need the newer version of cairomm because it is part of GTK4 stack
and it is now used for considerable amount of default Ubuntu Desktop apps.
src:cairomm and src:cairomm-1.16 are different ABI series and co-intallable as stated by the upstream project and visible through the librarie's SONAME.

[Dependencies]
OK:
- SRCPKG checked with `check-mir`
- none of the (potentially auto-generated) dependencies (Depends
  and Recommends) that are present after build are not in main
 - no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- depends on MIR for libsigc++-3.0 is LP: #2020272

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is slow, but OK for a mature toolkit binding
- Debian/Ubuntu update history is slow, but OK for a mature toolkit binding
- the current (stable) release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems:
- symbols tracking is not in place
- Lintian warnings:
I: libcairomm-1.16-1: no-symbols-control-file usr/lib/x86_64-linux-gnu/libcairomm-1.16.so.1.4.0
I: cairomm1.16 source: repackaged-source-not-advertised [debian/copyright]

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (C++ library, not using it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems:
- important open bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032457 (nocheck FTBFS)

- Build-time warnings:
dh_translations: warning: could not determine domain
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".
warning: Tag 'LATEX_SOURCE_CODE' at line 226 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'RTF_SOURCE_CODE' at line 238 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'DOCBOOK_PROGRAMLISTING' at line 258 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'CLASS_DIAGRAMS' at line 310 of file 'reference/Doxyfile' has become obsolete.
         To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"