Review for Package: http-parser [Summary] I cannot yet ACK or NACK this MIR until we discuss whether the project not being maintained upstream is a blocker and any alternative solutions. A few details about this: * http-parser not maintained upstream. Upstream suggests using llhttp (https://github.com/nodejs/llhttp) * http-parser is a dependency of libgit2 so at the end of the day the question is whether libgit2 will move from http-parser to llhttp. * Foundations team is aware of the project being unmaintained upstream and are willing to take charge of the maintenance * The package is maintained in Debian (e.g the maintainer has pulled in PRs including a CVE that haven't been merged upstream) That said, IMO the project not being maintained anymore is not a huge blocker since Foundations have agreed to take care of that and Debian actively maintaining it. This does need a security review, but I will not assign security-team until we decide whether this is an ACK or NACK. Please take a look at the recommended TODOs and address as many as possible. List of specific binary packages to be promoted to main: libhttp-parser2.9, libhttp-parser-dev Notes: Recommended TODOs: 1. This is a trivial one concerning the use of malloc. In file contrib/parsetrace.c, line 122, malloc is used and then the pointer is not checked if memory successfully allocated before using it. - The package should get a team bug subscriber before being promoted [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - http-parser checked with `check-mir` - all dependencies can be found in `seeded-in-ubuntu` (already in main) - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard Problems: None [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port/socket - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - does parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source. - does process arbitrary web content [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest - no new python2 dependency Problems: None [Packaging red flags] OK: - Ubuntu does not carry a delta (patches found in debian/patches are carried over from debian) - symbols tracking is in place - d/watch is present and looks ok (if needed, e.g. non-native) - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list Problems: - Upstream update history is... not maintained anymore [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case Problems: - incautious use of malloc/sprintf contrib/parsertrace.c l122, malloc and no check after if mem allocated - package not maintained