Comment 3 for bug 1993819

Review for Package: dh-cargo

[Summary]
it was to be expected for the kind of package that this is, but even
checking in detail did not show any problems on this.

MIR team ACK

This does not need a security review

List of specific binary packages to be promoted to main: dh-cargo
Specific binary packages built, but NOT to be promoted to main: n/a

Notes:
- Just curious, is there a build generating a .lock file somewhere?
  I didn't see one referenced from the bug. I'm Interested to see it
  and maybe convert mdevctl to use it for its embedded source.

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a rust package, no extra constraints to consider in that regard
  (this is perl and shell, not rust itself)

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source (only builds which are untrusted, but
  in a save env).
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- No special HW needed for build/test
- A non-trivial test on this level does not make much sense (for the build
  helper itself alone) but the overall things it helps building are put to
  many tests.

Problems:
- does not have a test suite that runs at build time
- does not have a non-trivial test suite that runs as autopkgtest
=> I'd consider both facts ok for the special situation this package is in.
   It is more to facilitate builds and tests of other code than itself.
   The code itself is complex, but not too big yet.
   While it would be nice to have some self-tests on expected behavior
   I consider it ok to have no exhausting tests right now.
   Thanks for adding tests that cover our delta!

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking not applicable for this kind of code.
- d/watch is present not present (ok = native)
- Upstream update history is N/A
- Debian/Ubuntu update history is ok (not many changes recently though)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean (couldn't be less)
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (no languages providing that)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None