© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
[Summary]
MIR team ack for the packaging and overall quality.
But it needs a security review as well, assigning ubuntu-security.
[Duplication]
Only the code that is part of ippusbxd is similar in function and it is
planned to replace ippusbxd in main with this.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present, despite go package \o/
- static linking (go package), but no deps \o/
[Security]
OK:
- history of CVEs does not look concerning
but it is rather new and the ipp protocol and implementations had many
issues so one can expect this might happen here as well
- does not run a daemon as root
but it will be used in a demon
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does parse data formats
The parsing in go is supposed to be safer, especially since transport is
done done by the standard lib of go that should be exercised and tested
a lot already.
Due to that and the history of IPP in general it will need a security review.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- Go package that uses dh-golang
Problems:
- does not have a test suite that runs as autopkgtest
But it is only a lib, an autopkgtest would be better in things using it
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is unclear (too new)
- Debian/Ubuntu update history is unclear (too new)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have further Built-Using
- Go Package that follows the Debian Go packaging guidelines
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks