Comment 11 for bug 1812456
Revision history for this message
| Didier Roche-Tolomelli (didrocks) wrote | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
[Summary]
ACK from the MIR team.
This does need a security review, so I'll assign ubuntu-security list specific binary packages to be promoted to main
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
- no other Dependencies to MIR due to this apart from ostree which is listed above
[Embedded sources and static linking]
- no embedded source present
- no static linking
[Security]
- history of CVEs does not look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop (apart in tests)
- does not deal with system authentication (eg, pam), etc)
Problems:
- it does run a daemon as root and interacts with cgroups. This isn’t part of the binary package we are promoting, however, as we have the rule "if the source in is main, we can promote any other binary package without a new MIR", this will need to be checked right now with the security team.
[Common blockers]
OP:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest. Some tests are marked as flaky
- The package has a team bug subscriber
- translation presents?
- not a python/go package, no extra constraints to consider int hat regard
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks