[Summary] From the MIR POV the package is mostly ok. The overall topic of smartcard usage will need some QA testing to be supportable. Only a bit can be done in autopkgtest due to the special HW requirements but it would be worth to try that as well as setting up a test lab with the most common respective HW. This does need a security review, so I'll assign ubuntu-security Binaries to promote: libccid TODOs: Recommended: - Tests: - Special HW - In general and I guess this is true for all packages here. Canonical should get a set of the common (=the want to be supported) devices and document those somewhere to make it clear what is regularly tested / supported vs what is on "hopefully it works" level. - Also please try at least if with vsmartcard-vpicc + vsmartcard-vpcd some autopkgtest time testing could be added to some of these packages. (I'm not going to repeat this request on all reviews, but overall it is important for QA on such a new topic.) - Add symbols tracking (this is a bit vice versa, it is a lib providing a driver to be used in ps/sc, but still auto-detect if things change is good) Required: - Please subscribe to the package (usually good to be done now already) [Duplication] libccid is used to communicate though PC/SC (also on this MIR) with smart cards. https://wiki.debian.org/Smartcards holds a nice overview, there are a bunch of special drivers in other packages (not part of this MIR), but ccid covers the majority of devices listed. [Dependencies] OK: - no other Dependencies to MIR due to this (libc6, libusb-1.0-0) - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop Problems: - does parse data formats The ccid protocol - if ever exploited - would be a very great angle of attack - does deal with system authentication (eg, pam), etc) Smartcards can and commonly are used to do auth - This will need a security review on top of the MIR review [Common blockers] OK: - does not FTBFS currently - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider int hat regard Problems: - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest => Tests of special HW are hard at build time anyway, but a bit more than nothing would be great. I suggested an overall test with a set of meant to be supported cards exercising all the components of this MIR. - The package has a team bug subscriber This needs a Team subscriber still, Desktop was mentioned to be that, but it isn't yet. From experience this is easy to be forgotten later. Also subscribing now will help to see the influx of bugs on the topic and therefore help to be sure if you want to own this. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good (regular and only stable updates) - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using Problems: - symbols tracking is not place [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks