Review for Package: gnome-sushi [Summary] There are too many opened issues to give a MIR ack right away. Please for your next MIR, ensure you do a real check of the package (dependencies on universe binary package is a check that the reporter should do) and that there are no remaining TODOs before setting the bug report to "New" for MIR team consideration. Also, it’s as it’s depending on webkit, this will need a security review. They will be assigned once the MIR is acked. Specific binary packages built, but NOT to be promoted to main: gnome-sushi Notes: Required TODOs: - Write the testplan for this package to cope for non build nor autopkgtests tests. I would really prefer this to be done prior MIR, as it’s always time consuming to go back to a MIR, reread and get the context to check the testplan is valid. Please consider that for future MIR or keep the MIR incomplete until you have the time to do so. - Some dependencies are still in universe like gir1.2-gtksource-4. Please check all dependencies of the binaries you want to promote, file MIR as needed and mention them in the description. - There is no symbol tracking in place, only a shlibs. We require symbol tracking for all new packages entering main. However, if the lib is only used by gnome-sushi, this could be relaxed. Please state so explicitely in the MIR descriptiuon. Recommended TODOs: - As you identified some lintian warning which are not due to upstream code and which easy to fix, please fix them to not clutter the build output. - There are a couple of upstream warnings during package build. Please report them upstream (seems deprecation warnings, so should be easy enough to propose a patch upstream). [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: - Some dependencies are still in universe like gir1.2-gtksource-4. Please check all dependencies of the binaries you want to promote, file MIR as needed and mention them in the description. [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Note: the parsing is done within the process, but with external libraries already in main, not directly within this code. [Common blockers] OK: - does not FTBFS currently - no new python2 dependency Problems: - No autopkgtests nor build tests. Write the testplan for this package to cope for non build nor autopkgtests tests. [Packaging red flags] OK: - Ubuntu does not carry a delta - d/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list Problems: - There is no symbol tracking in place, only a shlibs. We require symbol tracking for all new packages entering main. - As you identified some lintian warning which are not due to upstream code and which easy to fix, please fix them to not clutter the build output. [Upstream red flags] OK: - no Errors during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - part of the UI, desktop file is ok - translation present Problems: - There are a couple of upstream warnings during package build. Please report them upstream (seems deprecation warnings, so should be easy enough to propose a patch upstream). - Dependency of webkit, so require a security review.