[Summary] This looks ok from a MIR POV and you have my Ack IF you can outline a reasonable use case that benefits from libbluray WITHOUT also promoting libaacs0. Please do to in a comment on this bug. This does also need a security review, so I'll assign ubuntu-security now. List of specific binary packages to be promoted to main: - libbluray-dev - libbluray2 Required TODOs: - Please double check that without libaacs0 this is still really a useful use-case to Ubuntu users. Speak up here and outline what use-cases will benefit without libaacs0. Recommended TODOs: - Add some self-tests, see suggestions how to do so below Note: we ship it with the readme already in universe, there is the inherent issue of potential piracy issues being considered related with such libs. But we already ship it (main/universe should not make a difference), we include the disclaimer and this lib does not do any decoding. So it should be fine in that regard to the MIR process. Also from upstream to quote: "Legal: libbluray is DRM-circumvention free, and thus, safe to integrate in your software." [Duplication] No other lib seems to provide this funcitonality. Yet the approach to take libbluray2 but drop the libaacs0 recommends likely ends up in only support for non-commercial blue rays. From the description: Most commercial Blu-Ray are restricted by AACS or BD+ technologies and this library is not enough to playback those discs. With that in mind is it worth to have libbluray2 "alone"? [Dependencies] OK: - no other Dependencies to MIR due to this (if we keep the bd-j things out) - -dev shall be promotes and -doc has no critical dependencies [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does not parse data formats It will need to parse blue-ray disks (or images) and could be exploited that way. Security should have a look to be sure. [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber (desktop team) - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider int hat regard Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest There are soem test tools like ./src/examples/libbluray_test.c that is even shipped with the examples. It shouldn't be too hard to provide some self created m2ts file along that and have an autopkgtest that 1. builds the example against libbluray-dev 2. runs the program to get info from the test file [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is ok - Debian/Ubuntu update history is ok - the current release is packaged (a sync and 1.2.1 is in unstable) - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks