[MIR] lib*-perl for lintian 2.115

Bug #1980662 reported by Lukas Märdian
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libfreezethaw-perl (Ubuntu)
Fix Released
Undecided
Unassigned
libhtml-tokeparser-simple-perl (Ubuntu)
Fix Released
Undecided
Unassigned
libhttp-server-simple-perl (Ubuntu)
Invalid
Undecided
Graham Inggs
libmldbm-perl (Ubuntu)
Fix Released
Undecided
Unassigned
libregexp-wildcards-perl (Ubuntu)
Invalid
Undecided
Unassigned
libwww-mechanize-perl (Ubuntu)
Fix Released
Undecided
Unassigned
lintian (Ubuntu)
Confirmed
Undecided
Lukas Märdian

Bug Description

See comments below:

#5: libhtml-tokeparser-simple-perl
#6: libwww-mechanize-perl
#7: libmldbm-perl
#8: libfreezethaw-perl

Lukas Märdian (slyon)
Changed in libfreezethaw-perl (Ubuntu):
status: New → Incomplete
Changed in libhttp-server-simple-perl (Ubuntu):
status: New → Incomplete
Changed in libmldbm-perl (Ubuntu):
status: New → Incomplete
Changed in libwww-mechanize-perl (Ubuntu):
status: New → Incomplete
Changed in libregexp-wildcards-perl (Ubuntu):
status: New → Incomplete
Lukas Märdian (slyon)
Changed in lintian (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
tags: added: update-excuse
Revision history for this message
Lukas Märdian (slyon) wrote :

libmldbm-perl and libfreezethaw-perl have been in "main" in the past (LP: #1427724)

Revision history for this message
Olivier Gayot (ogayot) wrote :

Moved libregexp-wildcards-perl into a separate MIR since it's maintained by a different group: https://bugs.launchpad.net/ubuntu/+source/libregexp-wildcards-perl/+bug/1980968

Changed in libregexp-wildcards-perl (Ubuntu):
status: Incomplete → Invalid
Graham Inggs (ginggs)
Changed in libhtml-tokeparser-simple-perl (Ubuntu):
assignee: nobody → Graham Inggs (ginggs)
Changed in libhttp-server-simple-perl (Ubuntu):
assignee: nobody → Graham Inggs (ginggs)
Changed in libwww-mechanize-perl (Ubuntu):
assignee: nobody → Graham Inggs (ginggs)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lintian (Ubuntu):
status: New → Confirmed
Revision history for this message
Graham Inggs (ginggs) wrote :

libwww-mechanize-perl dropped its dependency on libhttp-server-simple-perl:

libwww-mechanize-perl (2.14-2) unstable; urgency=medium

  * Drop unnecessary runtime dependency on libhttp-server-simple-perl.
    Thanks to Graham Inggs for spotting.

 -- gregor herrmann <email address hidden> Wed, 17 Aug 2022 18:05:59 +0200

Changed in libhttp-server-simple-perl (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Graham Inggs (ginggs) wrote (last edit ):
Download full text (3.6 KiB)

[Availability]
The package libhtml-tokeparser-simple-perl is already in Ubuntu universe.
The package libhtml-tokeparser-simple-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: all (perl package)
Link to package https://launchpad.net/ubuntu/+source/libhtml-tokeparser-simple-perl

[Rationale]
The package libhtml-tokeparser-simple-perl is required in Ubuntu main for lintian
The package libhtml-tokeparser-simple-perl will not generally be useful for a large part of
our user base, but is important/helpful still because
 - The package libhtml-tokeparser-simple-perl is a new runtime dependency of package lintian that
   we already support
 - The package libhtml-tokeparser-simple-perl is required in Ubuntu main no later than 2022-08-25
   due to Kinetic Feature Freeze

[Security]
 - No CVEs/security issues in this software in the past
 - no `suid` or `sgid` binaries
 - no executables in `/sbin` and `/usr/sbin`
 - Package does not install services, timers or recurring jobs
 - Packages does not open privileged ports (ports < 1024)
 - Packages does not contain extensions to security-sensitive software
   (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
 - The package works well right after install - it is a library

[Quality assurance - maintenance]
 - The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
 - The package runs a test suite on build time, if it fails
   it makes the build fail, link to build log
   https://launchpad.net/ubuntu/+source/libhtml-tokeparser-simple-perl/3.16-4/+build/22592540
 - The package runs an autopkgtest, and is currently passing on
   amd64 arm64 armhf ppc64el s390x, link to test logs
   https://autopkgtest.ubuntu.com/packages/libhtml-tokeparser-simple-perl
 - The package does have not failing autopkgtests right now

[Quality assurance - packaging]
 - debian/watch is present and works
 - debian/control defines a correct Maintainer field
 - This package does not yield massive lintian Warnings, Errors
   no errors or warnings https://udd.debian.org/lintian/?packages=libhtml-tokeparser-simple-perl
 - Please link to a recent build log of the package
   https://launchpad.net/ubuntu/+source/libhtml-tokeparser-simple-perl/3.16-4/+build/22592540
 - Full output of `lintian --pedantic`
   E: libhtml-tokeparser-simple-perl changes: bad-distribution-in-changes-file unstable
 - Lintian overrides are not present
 - This package does not rely on obsolete or about to be demoted packages.
 - This package has no python2 or GTK2 dependencies
 - The package will not be installed by default
 - Packaging and build is easy, link to d/rules
   https://salsa.debian.org/perl-team/modules/packages/libhtml-tokeparser-simple-perl/-/blob/master/debian/rules

[UI standards]
 - Application is not end-user facing (does not need translation)

[Dependencies]
 - No further depends or recommends dependencies that are not yet in main

[Standards compliance]
 - This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
 - Owning Team will be Ubuntu Foundations
 - Team is not yet, but will subscribe to the packa...

Read more...

Revision history for this message
Graham Inggs (ginggs) wrote :
Download full text (3.7 KiB)

[Availability]
The package libwww-mechanize-perl is already in Ubuntu universe.
The package libwww-mechanize-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: all (perl package)
Link to package https://launchpad.net/ubuntu/+source/libwww-mechanize-perl

[Rationale]
The package libwww-mechanize-perl is required in Ubuntu main for lintian
The package libwww-mechanize-perl will not generally be useful for a large part of
our user base, but is important/helpful still because
 - The package libwww-mechanize-perl is a new runtime dependency of package lintian that
   we already support
 - The package libwww-mechanize-perl is required in Ubuntu main no later than 2022-08-25
   due to Kinetic Feature Freeze

[Security]
 - No CVEs/security issues in this software in the past
 - no `suid` or `sgid` binaries
 - no executables in `/sbin` and `/usr/sbin`
 - Package does not install services, timers or recurring jobs
 - Packages does not open privileged ports (ports < 1024)
 - Packages does not contain extensions to security-sensitive software
   (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
 - The package works well right after install - it is a library

[Quality assurance - maintenance]
 - The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
 - The package runs a test suite on build time, if it fails
   it makes the build fail, link to build log
   https://launchpad.net/ubuntu/+source/libwww-mechanize-perl/2.14-2/+build/24292284
 - The package runs an autopkgtest, and is currently passing on
   amd64 arm64 armhf ppc64el s390x, link to test logs
   https://autopkgtest.ubuntu.com/packages/libwww-mechanize-perl
 - The package does have not failing autopkgtests right now

[Quality assurance - packaging]
 - debian/watch is present and works
 - debian/control defines a correct Maintainer field
 - This package does not yield massive lintian Warnings, Errors
   one dubious error https://udd.debian.org/lintian/?packages=libwww-mechanize-perl
   Lintian complains about missing source of an HTML test file (triggered by long line length)
 - Please link to a recent build log of the package
   https://launchpad.net/ubuntu/+source/libwww-mechanize-perl/2.14-2/+build/24292284
 - Full output of `lintian --pedantic`
   E: libwww-mechanize-perl changes: bad-distribution-in-changes-file unstable
   E: libwww-mechanize-perl source: source-is-missing [t/google.html]
   P: libwww-mechanize-perl source: very-long-line-length-in-source-file 1974 > 512 [t/google.html:13]
 - Lintian overrides are present, but ok because although the package is a library it includes a handy application
 - This package does not rely on obsolete or about to be demoted packages.
 - This package has no python2 or GTK2 dependencies
 - The package will not be installed by default
 - Packaging and build is easy, link to d/rules
   https://salsa.debian.org/perl-team/modules/packages/libwww-mechanize-perl/-/blob/master/debian/rules

[UI standards]
 - Application is not end-user facing (does not need translation)

[Dependencies]
 - No further depends or recommends depende...

Read more...

Lukas Märdian (slyon)
description: updated
Changed in libhtml-tokeparser-simple-perl (Ubuntu):
status: Incomplete → New
assignee: Graham Inggs (ginggs) → nobody
Changed in libwww-mechanize-perl (Ubuntu):
status: Incomplete → New
assignee: Graham Inggs (ginggs) → nobody
Graham Inggs (ginggs)
Changed in libfreezethaw-perl (Ubuntu):
assignee: nobody → Graham Inggs (ginggs)
Changed in libmldbm-perl (Ubuntu):
assignee: nobody → Graham Inggs (ginggs)
Revision history for this message
Graham Inggs (ginggs) wrote :
Download full text (3.6 KiB)

[Availability]
The package libmldbm-perl is already in Ubuntu universe.
The package libmldbm-perl builds for the architectures it is designed to work on.
It currently builds and works for architetcures: all (perl package)
Link to package https://launchpad.net/ubuntu/+source/libmldbm-perl

[Rationale]
The package libmldbm-perl is required in Ubuntu main for lintian
The package libmldbm-perl will not generally be useful for a large part of
our user base, but is important/helpful still because
 - The package libmldbm-perl is a new runtime dependency of package lintian that
   we already support
 - The package libmldbm-perl is required in Ubuntu main no later than 2022-08-25
   due to Kinetic Feature Freeze

[Security]
 - No CVEs/security issues in this software in the past
 - no executables in `/sbin` and `/usr/sbin`
 - Package does not install services, timers or recurring jobs
 - Packages does not open privileged ports (ports < 1024)
 - Packages does not contain extensions to security-sensitive software
   (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
 - The package works well right after install - it is a library

[Quality assurance - maintenance]
 - The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
 - The package runs a test suite on build time, if it fails
   it makes the build fail, link to build log
   https://launchpad.net/ubuntu/+source/libmldbm-perl/2.05-3/+build/23856967
 - The package runs an autopkgtest, and is currently passing on
   amd64 arm64 armhf ppc64el s390x, link to test logs
   https://autopkgtest.ubuntu.com/packages/libmldbm-perl
 - The package does have not failing autopkgtests right now

[Quality assurance - packaging]
 - debian/watch is present and works
 - debian/control defines a correct Maintainer field
 - This package does not yield massive lintian Warnings, Errors
   two warnings https://udd.debian.org/lintian/?packages=libmldbm-perl
   the last uploader ommitted 'Team upload' or 'Non-maintainer upload'
 - Please link to a recent build log of the package
   https://launchpad.net/ubuntu/+source/libmldbm-perl/2.05-3/+build/23856967
 - Full output of `lintian --pedantic`
   E: libmldbm-perl changes: bad-distribution-in-changes-file unstable
   P: libmldbm-perl source: silent-on-rules-requiring-root [debian/control]
   P: libmldbm-perl source: update-debian-copyright 2013 vs 2022 [debian/copyright:14]
 - Lintian overrides are not present
 - This package does not rely on obsolete or about to be demoted packages.
 - This package has no python2 or GTK2 dependencies
 - The package will not be installed by default
 - Packaging and build is easy, link to d/rules
   https://salsa.debian.org/perl-team/modules/packages/libmldbm-perl/-/blob/master/debian/rules

[UI standards]
 - Application is not end-user facing (does not need translation)

[Dependencies]
 - There are further dependencies that are not yet in main, the MIR
   process for them is handled as part of this bug here.
   Recommends: libfreezethaw-perl

[Standards compliance]
 - This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
 - Owning Team will be Ubuntu Fou...

Read more...

description: updated
Changed in libmldbm-perl (Ubuntu):
status: Incomplete → New
assignee: Graham Inggs (ginggs) → nobody
Revision history for this message
Graham Inggs (ginggs) wrote :
Download full text (3.6 KiB)

[Availability]
The package libfreezethaw-perl is already in Ubuntu universe.
The package libfreezethaw-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: all (perl package)
Link to package https://launchpad.net/ubuntu/+source/libfreezethaw-perl

[Rationale]
The package libfreezethaw-perl is required in Ubuntu main for libmldbm-perl
The package libfreezethaw-perl will not generally be useful for a large part of
our user base, but is important/helpful still because
 - The package libfreezethaw-perl is recommended by libmldbm-perl, a new runtime dependency of package lintian that
   we already support
 - The package libfreezethaw-perl is required in Ubuntu main no later than 2022-08-25
   due to Kinetic Feature Freeze

[Security]
 - No CVEs/security issues in this software in the past
 - no executables in `/sbin` and `/usr/sbin`
 - Package does not install services, timers or recurring jobs
 - Packages does not open privileged ports (ports < 1024)
 - Packages does not contain extensions to security-sensitive software
   (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
 - The package works well right after install - it is a library

[Quality assurance - maintenance]
 - The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
 - The package runs a test suite on build time, if it fails
   it makes the build fail, link to build log
   https://launchpad.net/ubuntu/+source/libfreezethaw-perl/0.5001-2.1/+build/20734946
 - The package runs an autopkgtest, and is currently passing on
   amd64 arm64 armhf ppc64el s390x, link to test logs
   https://autopkgtest.ubuntu.com/packages/libfreezethaw-perl
 - The package does have not failing autopkgtests right now

[Quality assurance - packaging]
 - debian/watch is present and works
 - debian/control defines a correct Maintainer field
 - This package does not yield massive lintian Warnings, Errors
   one warning https://udd.debian.org/lintian/?packages=libfreezethaw-perl
   possibly false positive; the last uploader incuded 'Non maintainer upload' in the changelog
 - Please link to a recent build log of the package
   https://launchpad.net/ubuntu/+source/libfreezethaw-perl/0.5001-2.1/+build/20734946
 - Full output of `lintian --pedantic`
   E: libfreezethaw-perl changes: bad-distribution-in-changes-file unstable
 - Lintian overrides are not present
 - This package does not rely on obsolete or about to be demoted packages.
 - This package has no python2 or GTK2 dependencies
 - The package will not be installed by default
 - Packaging and build is easy, link to d/rules
   https://salsa.debian.org/perl-team/modules/packages/libfreezethaw-perl/-/blob/master/debian/rules

[UI standards]
 - Application is not end-user facing (does not need translation)

[Dependencies]
 - No further depends or recommends dependencies that are not yet in main

[Standards compliance]
 - This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
 - Owning Team will be Ubuntu Foundations
 - Team is not yet, but will subscribe to the package before promotion
 - This does not use static builds
 - T...

Read more...

description: updated
Changed in libfreezethaw-perl (Ubuntu):
status: Incomplete → New
assignee: Graham Inggs (ginggs) → nobody
Changed in libfreezethaw-perl (Ubuntu):
assignee: nobody → Didier Roche (didrocks)
Changed in libhtml-tokeparser-simple-perl (Ubuntu):
assignee: nobody → Didier Roche (didrocks)
Changed in libmldbm-perl (Ubuntu):
assignee: nobody → Ioanna Alifieraki (joalif)
Changed in libwww-mechanize-perl (Ubuntu):
assignee: nobody → Ioanna Alifieraki (joalif)
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote (last edit ):
Download full text (3.7 KiB)

Review for libfreezethaw-perl.
MIR team ACK under the constraint to resolve the below listed
required TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libfreezethaw-perl

Notes:
Required TODOs:
- This package, while having tests during build does not have autopkgtests. Consequently, we are not protected against breakages due to migration of reverse dependencies, including new perl. Even if for perl there is traditionnally a mass-rebuild, maybe we should ensure we have autopkgtests for any package entering (or reentering) main. I think the autopkgtests can run the same testsuite than the one at build-time to protect us.
Note that there seems to have an autopkgtests in https://autopkgtest.ubuntu.com/packages/libfreezethaw-perl/ generated by perl, but this one does not run a real testsuite. Only an installation and syntax checker, mostly.

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries

OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source. Only parse some deserialized structures that we serialized before.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- if special HW does prevent build/autopkgtest is there a test plan, code,
  log provided?
- if a non-trivial test on this level does not make sense (the lib alone
  is only doing rather simple things), is the overall solution (app+libs)
  extensively covered i.e. via end to end autopkgtest ?
- no new python2 dependency

Problems:
- does NOT have autopkgtests. Consequently new perl updates can migrate while breaking this package. I suggest we have autopkgtests implemented as required by the MIR process.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is sporadic, but there is no need for a stabilized project.
- Debian/Ubuntu update folllows upstream.
- the current release is ...

Read more...

Changed in libhtml-tokeparser-simple-perl (Ubuntu):
status: New → Incomplete
assignee: Didier Roche (didrocks) → nobody
status: Incomplete → New
assignee: nobody → Didier Roche (didrocks)
Changed in libfreezethaw-perl (Ubuntu):
status: New → Incomplete
assignee: Didier Roche (didrocks) → nobody
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :
Download full text (4.3 KiB)

Review for libhtml-tokeparser-simple-perl.
MIR team ACK under the constraint to resolve the below listed
required TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libhtml-tokeparser-simple-perl

Notes:
Required TODOs:
- This package, while having tests during build does not have autopkgtests. Consequently, we are not protected against breakages due to migration of reverse dependencies, including new perl. Even if for perl there is traditionnally a mass-rebuild, maybe we should ensure we have autopkgtests for any package entering main. I think the autopkgtests can run the same testsuite than the one at build-time to protect us.

Note that the reporter said that there are autopkgtests in https://autopkgtest.ubuntu.com/packages/libfreezethaw-perl/. But this one seems to be generated by perl and reverse dependency, doing minimal checks: this one does not run a real testsuite. Only an installation and syntax checker, mostly. This is why I suggest that we enhance the autopkgtests for them with running the same testsuite than the one at build time.

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries

OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- the package parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from an untrusted source. However, this one is a wrapper to ease the usage of libhtml-parser-perl with more convenient methods. It subclasses them. Consequently, it does not parse directly its content, but wrap over the existing parser, already in main. The package does not need a security review as it only handles data transformation, already parsed.
  Only parse some deserialized structures that we serialized before.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- if special HW does prevent build/autopkgtest is there a test plan, code,
  log provided?
- if a non-trivial test on this level does not make sense (the lib alone
  is only doing rather simple things), is the overall solution (app+libs)
  extensively covered i.e. via end to end autopkgtest ?
- no n...

Read more...

Changed in libhtml-tokeparser-simple-perl (Ubuntu):
status: New → Incomplete
assignee: Didier Roche (didrocks) → nobody
Revision history for this message
gregor herrmann (gregoa) wrote : Re: [Pkg-perl-maintainers] [Bug 1980662] Re: [MIR] lib*-perl for lintian 2.115

On Mon, 29 Aug 2022 07:33:30 -0000, Didier Roche wrote:

> Review for libfreezethaw-perl.
> MIR team ACK under the constraint to resolve the below listed
> required TODOs.
>
> Notes:
> Required TODOs:
> - This package, while having tests during build does not have
> autopkgtests. Consequently, we are not protected against
> breakages due to migration of reverse dependencies, including new
> perl. Even if for perl there is traditionnally a mass-rebuild,
> maybe we should ensure we have autopkgtests for any package
> entering (or reentering) main. I think the autopkgtests can run
> the same testsuite than the one at build-time to protect us.

FWIW, in Debian libfreezethaw-perl has the default
autopkgtest-pkg-perl tests enabled since 0.5001-2, uploaded in June
2018, and ci.debian.net looks good and complete:
https://ci.debian.net/packages/libf/libfreezethaw-perl/

Also https://autopkgtest.ubuntu.com/packages/libfreezethaw-perl shows
the same tests (inlcuding the smoke test which runs the same
testsuite as during build).

***

Same for the second package mentioned in the other mail,
libhtml-tokeparser-simple-perl: autopkgtests enabled since 3.16-2
(May 2015), and they look good and complete both in Debian and
Ubuntu:

https://ci.debian.net/packages/libh/libhtml-tokeparser-simple-perl/
https://autopkgtest.ubuntu.com/packages/libhtml-tokeparser-simple-perl

***

Maybe I'm missing something, and in case please shout if we can help
from the Debian side.

Cheers,
gregor, Debian perl Group

--
 .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-

Revision history for this message
Ioanna Alifieraki (joalif) wrote :

Review for Package: libmldbm-perl

[Summary]
MIR team ACK

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libmldbm-perl

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (the runtime dependency libfreezethaw-perl
  is already handled in this bug)
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is sporadic
- Debian/Ubuntu follows upstream
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None

Changed in libmldbm-perl (Ubuntu):
assignee: Ioanna Alifieraki (joalif) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Ioanna Alifieraki (joalif) wrote :

Review for Package: libwww-mechanize-perl

[Summary]
MIR team ACK

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libwww-mechanize-perl

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does process arbitrary web content

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None

Changed in libwww-mechanize-perl (Ubuntu):
assignee: Ioanna Alifieraki (joalif) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

@gregor: thanks for reaching out and tracking the bug! After another look and a discussion with ginggs, I realized I was scrolling down too much (after the second package install), and only saw the syntax checkers. Indeed, the package build + test builds are already done by then. Sorry for the confusion!

As both libhtml-tokeparser-simple-perl and libfreezethaw-perl have those autopkgtests triggered by perl directly, and run a test build in addition to the syntax checker, this a MIR team ack for both package.

Changed in libfreezethaw-perl (Ubuntu):
status: Incomplete → Fix Committed
Changed in libhtml-tokeparser-simple-perl (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Lukas Märdian (slyon) wrote :

I subscribed ~foundations-bugs to libhtml-tokeparser-simple-perl and libfreezethaw-perl (as well as libwww-mechanize-perl & libmldbm-perl), so the former two are ready for promotion. The latter two still pending security review.

Steve Beattie (sbeattie)
tags: added: sec-1261
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ack, libhtml-tokeparser-simple-perl and libfreezethaw-perl are ready.
Promoting those now ...

 libhtml-tokeparser-simple-perl | 3.16-4 | kinetic/universe | source, all
 libfreezethaw-perl | 0.5001-2.1 | kinetic/universe | source, all

Override component to main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic: universe/perl -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic amd64: universe/perl/optional/100% -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic arm64: universe/perl/optional/100% -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic armhf: universe/perl/optional/100% -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic i386: universe/perl/optional/100% -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic ppc64el: universe/perl/optional/100% -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic riscv64: universe/perl/optional/100% -> main
libhtml-tokeparser-simple-perl 3.16-4 in kinetic s390x: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic: universe/perl -> main
libfreezethaw-perl 0.5001-2.1 in kinetic amd64: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic arm64: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic armhf: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic i386: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic ppc64el: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic riscv64: universe/perl/optional/100% -> main
libfreezethaw-perl 0.5001-2.1 in kinetic s390x: universe/perl/optional/100% -> main
Override [y|N]? y
16 publications overridden.

Changed in libfreezethaw-perl (Ubuntu):
status: Fix Committed → Fix Released
Changed in libhtml-tokeparser-simple-perl (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed libmldbm-perl 2.05-3 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

> MLDBM store multi-level Perl hash structure in single level tied hash

- CVE History:
  - ancient leak circa 1999
    - https://github.com/perl/perl5/issues/80
- Build-Depends?
  - Data::Dumper perl module 2.08
    - 2.08 is a very old version
    - some Data:Dumper updates are security related
    - https://metacpan.org/dist/Data-Dumper/changes
    - nb: package also provides MLDBM::Serializer::Data::Dumper
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build tests and autopkgtests
- cron jobs?
  - none
- Build logs:
  - looks clean

- Processes spawned?
  - concerning eval in ./lib/MLDBM/Serializer/Data/Dumper.pm
    - values missing a magic key string are returned before eval +1
- Memory management?
  - none
- File IO?
  - none, besides build
- Logging?
  - yes, via carp
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none / not applicable
- Any significant Coverity results?
  - none / not applicable
- Any significant shellcheck results?
  - none / not applicable
- Any significant bandit results?
  - none / not applicable
- Any significant perlcritic?
  - none

Code is possibly unmaintained. Code was written 10 years ago. A travis file was
added 8 years ago. There has never been an issue or pull request on GitHub.
https://github.com/chorny/MLDBM

See Warnings section of mldbm(3)
https://manpages.ubuntu.com/manpages/kinetic/en/man3/MLDBM.3pm.html#warnings

Security team ACK for promoting libmldbm-perl to main.

Changed in libmldbm-perl (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → In Progress
Revision history for this message
Mark Esler (eslerm) wrote :

I reviewed libwww-mechanize-perl 2.14-2 as checked into kinetic. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability. Test and example code not was not included in this audit.

> `WWW::Mechanize`, or Mech for short, is a Perl module for stateful
> programmatic web browsing, used for automating interaction with
> websites.

- CVE History:
  - past CVEs for Net::HTTPS which libwww-mechanize-perl had used
- Bug History:
  - Many open issues
    - https://github.com/libwww-perl/WWW-Mechanize/issues
    - appears many could be closed
    - 72 open issues ported from Google Code Archive
    - multiple open hang issues appear to be addressed
- Build-Depends?
  - see META.yaml for Perl dependencies
  - HTTP::Request and several HTML:: modules are primarily used
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- udev rules?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - /usr/bin/mech-dump
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - robust build tests
  - has autopkgtests
- cron jobs?
  - none
- Build logs:
  - looks clean

- Processes spawned?
  - eval used to check libraries
- Memory management?
  - none, beyond test files
- File IO?
  - use of open appears safe
  - library contains save_content function that writes files
  - functions read uri's which can be file paths
- Logging?
  - library includes stderr warn messages
- Environment variable usage?
  - none, beyond test files
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none, beyond HTTPS
- Use of temp files?
  - none
- Use of networking?
  - HTTP::Request does the heavy lifting
  - this package, along with a handful of HTML:: modules, parses data
  - data being parsed is likely unsafe sources
  - users of library are responsible for input sanitization!
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none, not-applicable
- Any significant Coverity results?
  - none, not-applicable
- Any significant shellcheck results?
  - none, not-applicable
- Any significant bandit results?
  - none, not-applicable
- Any significant perlcritic results?
  - results look okay

The README.md demonstrates how to use WWW::Mechanize with cleartext passwords
and HTTP.

This program looks quite useful, but not suitable for secure environments.
In light of the intended lintian use case, adding this to main is reasonable.

Security team ACK for promoting libwww-mechanize-perl to main.

Changed in libwww-mechanize-perl (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: New → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The packages libwww-mechanize-perl and libmldbm-perl are fully processed, owned by foundations now and read for promotion to unblock lintian (all that is left are false positives).

Both packages just have source + 1 binary.
They show up in component mismatches and will be held in main by lintian.

Override component to main
libwww-mechanize-perl 2.14-2 in kinetic: universe/perl -> main
libwww-mechanize-perl 2.14-2 in kinetic amd64: universe/perl/optional/100% -> main
libwww-mechanize-perl 2.14-2 in kinetic arm64: universe/perl/optional/100% -> main
libwww-mechanize-perl 2.14-2 in kinetic armhf: universe/perl/optional/100% -> main
libwww-mechanize-perl 2.14-2 in kinetic i386: universe/perl/optional/100% -> main
libwww-mechanize-perl 2.14-2 in kinetic ppc64el: universe/perl/optional/100% -> main
libwww-mechanize-perl 2.14-2 in kinetic riscv64: universe/perl/optional/100% -> main
libwww-mechanize-perl 2.14-2 in kinetic s390x: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic: universe/perl -> main
libmldbm-perl 2.05-3 in kinetic amd64: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic arm64: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic armhf: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic i386: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic ppc64el: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic riscv64: universe/perl/optional/100% -> main
libmldbm-perl 2.05-3 in kinetic s390x: universe/perl/optional/100% -> main

Changed in libmldbm-perl (Ubuntu):
status: In Progress → Fix Released
Changed in libwww-mechanize-perl (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.