Ubuntu
lerc package

  1. Bug #1977551
  2. Comment #7

Comment 7 for bug 1977551

Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed lerc 3.0+ds-1ubuntu1 as checked into kinetic as well as upstream's 4.0.0. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

Please note that LERC 4.0.0 was released after MIR process began (2022-06-15).

> LERC is an open-source image or raster format which supports rapid encoding and decoding for any pixel type (not just RGB or Byte). Users set the maximum compression error per pixel while encoding, so the precision of the original input image is preserved (within user defined error bounds).

- CVE History:
  - none
- Build-Depends?
  - C/C++
    - ld-linux-x86-64.so.2
    - libgcc_s.so.1
    - libm.so.6
    - libstdc++.so.6
    - linux-vdso.so.1
  - Python
    - numpy
    - ctypes
    - timeit
    - platform
    - os
- pre/post inst/rm scripts?
  - yes, generated by dh_python3
  - postint: compiles python3-lerc
  - prerm: attempts to remove python3-lerc
  - tested install and removal
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build tests and autopkgtests
- cron jobs?
  - none
- Build logs:
  - only setup.py being deprecated as previously mentioned

- Processes spawned?
  - none
- Memory management?
  - 86 memcpy calls, 1 malloc call
  - memcpy and malloc use looks good
  - defensive memory management tools are provided by functions of this library
    - see lerc_computeCompressedSize to help memory allocation
- File IO?
  - only for tests
- Logging?
  - none for C/C++, some commented out print lines
  - Python has some error messages and a verbose flag
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - no, only js files not including in MIR
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - js results ignored
  - a minor bitshift error edgecase in private method
    - bitshift never errored as written
    - upstream addressed concern immediately with https://github.com/Esri/lerc/pull/224
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

LercTest/main.cpp and _lerc.py contain "TestLegacyData" which includes unshared files and a specific directory setup ('D:/GitHub/LercOpenSource_v2.5/testData/'). It would be nice if upstream moved this to ./testData and our test suite was expanded.

Upstream can make optional or remove timer() from _lerc.py when debug/performance information is not needed. https://github.com/Esri/lerc/issues/221

@seb128, thanks for reporting @slyon's #5. Deprecating setup.py would be nice to see.

Security team ACK for promoting lerc to main liblerc3 and python3-lerc. Packages using ./OtherLanguages/CSharp/ and ./OtherLanguages/js/ are not acknowledged for main and require a separate MIR.