Review for Package: libfreeaptx [Summary] libfreeaptx is a small library and is Open Source implementation of Audio Processing Technology codec (aptX) derived from ffmpeg 4.0 project and licensed under LGPLv2.1+. This codec is mainly used in Bluetooth A2DP profile. It provides dynamic linked shared library libfreeaptx.so and simple command line utilities for encoding and decoding operations. libfreeaptx is based on version 0.2.0 of libopenaptx with the intent of continuing under a free license without the additional license restriction added to libopenaptx 0.2.1. Binary packages from source package : libfreeaptx-dev: provides development files freeaptx-utils: provides utilities for encoding and decoding (freeaptxenc, freeaptxdec) libfreeaptx0: provides the shared library MIR team ACK. This does need a security review, so I'll assign ubuntu-security. List of specific binary packages to be promoted to main: libfreeaptx0, freeaptx-utils, libfreeaptx-dev Notes: Recommended TODOs: - The package should get a team bug subscriber before being promoted - Although it is explained why there are no tests in the package and the team commits to manually test it, it would still be nice to have some tests either at build time or autopackage if possible (this is only recommended). [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - checked with check-mir - not listed in seeded-in-ubuntu - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard - No vendoring used, all Built-Using are in main Problems: None [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - does parse data formats [Common blockers] OK: - does not FTBFS currently - the package does not provide any tests at all. The subscribed team commits to manually test the package as described in bug description (section [Quality assurance - testing]) - no new python2 dependency Problems: None [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is sporadic - Debian/Ubuntu update history is sporadic - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list Problems: None [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case Problems: None