[Summary]
This is just a continued development of src:cairomm (i.e. v1.14) but introducing a new ABI series 1.16 (vs 1.0 as used by src:cairomm), so it can be co-installed with src:cairomm.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libcairomm-1.16-1 (& -dev & -doc)
Specific binary packages built, but NOT to be promoted to main: None
Notes:
I couldn't find any previous MIR for src:cairomm (which has been in main for a long time), so this is a full MIR review.
#0: I wonder if there is any plan to demote src:cairomm from "main", in order to avoid the GTK3/GTK4 duplication?
Required TODOs:
#1: depends on MIR for libsigc++-3.0 is LP: #2020272 (resolved as of 2023-06-22)
#2: symbols tracking is not in place (due to being a C++ library, this can be downgraded to a recommendation if proper reasoning is given of why this isn't feasible for this library or how it was tried to fix ABI checker tooling)
Recommended TODOs:
#3: The package should get a team bug subscriber before being promoted
#4: Lintian warnings of interest, might be fixed together with Debian:
I: libcairomm-1.16-1: no-symbols-control-file usr/lib/x86_64-linux-gnu/libcairomm-1.16.so.1.4.0
I: cairomm1.16 source: repackaged-source-not-advertised [debian/copyright]
#5: important open bugs, might be fixed together with Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032457 (nocheck FTBFS)
#6: Build-time warnings, might be fixed together with upstream:
dh_translations: warning: could not determine domain
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".
warning: Tag 'LATEX_SOURCE_CODE' at line 226 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'RTF_SOURCE_CODE' at line 238 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'DOCBOOK_PROGRAMLISTING' at line 258 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'CLASS_DIAGRAMS' at line 310 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
[Duplication]
There is another package in main providing the same functionality.
The same package but different version is in main.
However we need the newer version of cairomm because it is part of GTK4 stack
and it is now used for considerable amount of default Ubuntu Desktop apps.
src:cairomm and src:cairomm-1.16 are different ABI series and co-intallable as stated by the upstream project and visible through the librarie's SONAME.
[Dependencies]
OK:
- SRCPKG checked with `check-mir`
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- depends on MIR for libsigc++-3.0 is LP: #2020272
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is slow, but OK for a mature toolkit binding
- Debian/Ubuntu update history is slow, but OK for a mature toolkit binding
- the current (stable) release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- symbols tracking is not in place
- Lintian warnings:
I: libcairomm-1.16-1: no-symbols-control-file usr/lib/x86_64-linux-gnu/libcairomm-1.16.so.1.4.0
I: cairomm1.16 source: repackaged-source-not-advertised [debian/copyright]
[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (C++ library, not using it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
- Build-time warnings:
dh_translations: warning: could not determine domain
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".
warning: Tag 'LATEX_SOURCE_CODE' at line 226 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'RTF_SOURCE_CODE' at line 238 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'DOCBOOK_PROGRAMLISTING' at line 258 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'CLASS_DIAGRAMS' at line 310 of file 'reference/Doxyfile' has become obsolete.
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
Review for Source Package: cairomm1.16
[Summary]
This is just a continued development of src:cairomm (i.e. v1.14) but introducing a new ABI series 1.16 (vs 1.0 as used by src:cairomm), so it can be co-installed with src:cairomm.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libcairomm-1.16-1 (& -dev & -doc)
Specific binary packages built, but NOT to be promoted to main: None
Notes:
I couldn't find any previous MIR for src:cairomm (which has been in main for a long time), so this is a full MIR review.
#0: I wonder if there is any plan to demote src:cairomm from "main", in order to avoid the GTK3/GTK4 duplication?
Required TODOs:
#1: depends on MIR for libsigc++-3.0 is LP: #2020272 (resolved as of 2023-06-22)
#2: symbols tracking is not in place (due to being a C++ library, this can be downgraded to a recommendation if proper reasoning is given of why this isn't feasible for this library or how it was tried to fix ABI checker tooling)
Recommended TODOs: control- file usr/lib/ x86_64- linux-gnu/ libcairomm- 1.16.so. 1.4.0 source- not-advertised [debian/copyright] /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 1032457 (nocheck FTBFS) Doxyfile' has become obsolete. Doxyfile' has become obsolete. PROGRAMLISTING' at line 258 of file 'reference/ Doxyfile' has become obsolete. Doxyfile' has become obsolete.
#3: The package should get a team bug subscriber before being promoted
#4: Lintian warnings of interest, might be fixed together with Debian:
I: libcairomm-1.16-1: no-symbols-
I: cairomm1.16 source: repackaged-
#5: important open bugs, might be fixed together with Debian:
https:/
#6: Build-time warnings, might be fixed together with upstream:
dh_translations: warning: could not determine domain
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".
warning: Tag 'LATEX_SOURCE_CODE' at line 226 of file 'reference/
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'RTF_SOURCE_CODE' at line 238 of file 'reference/
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'DOCBOOK_
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'CLASS_DIAGRAMS' at line 310 of file 'reference/
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
[Duplication]
There is another package in main providing the same functionality.
The same package but different version is in main.
However we need the newer version of cairomm because it is part of GTK4 stack
and it is now used for considerable amount of default Ubuntu Desktop apps.
src:cairomm and src:cairomm-1.16 are different ABI series and co-intallable as stated by the upstream project and visible through the librarie's SONAME.
[Dependencies]
OK:
- SRCPKG checked with `check-mir`
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems:
- depends on MIR for libsigc++-3.0 is LP: #2020272
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is slow, but OK for a mature toolkit binding
- Debian/Ubuntu update history is slow, but OK for a mature toolkit binding
- the current (stable) release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: control- file usr/lib/ x86_64- linux-gnu/ libcairomm- 1.16.so. 1.4.0 source- not-advertised [debian/copyright]
- symbols tracking is not in place
- Lintian warnings:
I: libcairomm-1.16-1: no-symbols-
I: cairomm1.16 source: repackaged-
[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (C++ library, not using it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems: /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 1032457 (nocheck FTBFS)
- important open bugs:
https:/
- Build-time warnings: Doxyfile' has become obsolete. Doxyfile' has become obsolete. PROGRAMLISTING' at line 258 of file 'reference/ Doxyfile' has become obsolete. Doxyfile' has become obsolete.
dh_translations: warning: could not determine domain
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
../meson.build:236: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".
warning: Tag 'LATEX_SOURCE_CODE' at line 226 of file 'reference/
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'RTF_SOURCE_CODE' at line 238 of file 'reference/
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'DOCBOOK_
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"
warning: Tag 'CLASS_DIAGRAMS' at line 310 of file 'reference/
To avoid this warning please remove this line from your configuration file or upgrade it using "doxygen -u"