Review for Source Package: libgssglue

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libgssglue1, libgssglue-dev
Specific binary packages built, but NOT to be promoted to main: <none>

Required TODOs:
- #1 Please differentiate gssglue from mechglue as provided by krb5.
  At a certain abstraction they sound like the same, what does gssglue
  provide to Ubuntu users that isn't already there?
  Because by the words that define them they appear to do the same:
  - http://grid.ncsa.illinois.edu/gssapi-mechglue/ : "provides a virtual layer
    above multiple GSSAPI implementations, so an application can use the GSSAPI
    interface to GSSAPI mechanisms implemented in different libraries (for
    example, GSI and Kerberos)."
  - Provided as part of kerberos
    https://web.mit.edu/kerberos/www/krb5-latest/doc/plugindev/gssapi.html
  - Example user of that interface https://github.com/gssapi/gss-ntlmssp


[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality unless
if mechglue of krb5 is the same already. Please forgive me, but I'm not deep
enough into this stack and will ask for a differentiation to mechglue in the
required todo's above.

A team (Foundations) is committed to own long term maintenance of this package.

The rationale given in the report seems valid and useful for Ubuntu
It isn't strictly needed as the only thing in wide use is krb5, but it allows
users choice and reduces the delta to Debian.


[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion (libgssglue-dev is safe)
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present (just a header file for gssapi, that does
  not count)
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (just CVE-2011-270)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (would be up to the user of the lib)

Problems:
- does parse data formats as it does certain conversions and mappings along
  the abstraction
- does deal with system authentication
=> Due to that this will need a security review as well


[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite (trivial though) that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency

Problems: None


[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control (will go away after the promotion to main)
- symbols tracking is in place.
- debian/watch is present and looks ok
- Upstream update history is slow but ok (it is rather stable)
- Debian/Ubuntu update history is ok following upstream closely
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems:
- The current release is not packaged, but would be available for syncing
  if it can go to main


[Upstream red flags]
OK:
- no Errors/warnings during the build
  one out of bounds warning, gone in 0.8
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody (only in tests)
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this use case

Problems: None