[MIR] lib*-perl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libindirect-perl (Ubuntu) |
Fix Released
|
Undecided
|
Andy Whitcroft | ||
libobject-pad-perl (Ubuntu) |
Fix Released
|
Undecided
|
Andy Whitcroft | ||
libunicode-escape-perl (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
libunicode-string-perl (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
libxs-parse-sublike-perl (Ubuntu) |
Fix Released
|
Undecided
|
Andy Whitcroft | ||
licensecheck (Ubuntu) |
Invalid
|
Undecided
|
Lukas Märdian | ||
sphinx (Ubuntu) |
Invalid
|
Undecided
|
Lukas Märdian |
Bug Description
[Availability]
The packages libxs-parse-
They currently build and work for the following architectures:
libxs-parse-
libobject-pad-perl: amd64 arm64 armhf ppc64el riscv64 s390x
libindirect-perl: amd64 arm64 armhf ppc64el riscv64 s390x
libunicode-
libunicode-
Links to packages:
https:/
https:/
https:/
https:/
https:/
[Rationale]
The packages libxs-parse-
The packages libunicode-
There are no definite deadlines for this MIR.
[Security]
libxs-parse-
libobject-pad-perl: I couldn't find any security issue for this package in the past.
libindirect-perl: I couldn't find any security issue for this package in the past.
libunicode-
libunicode-
All packages only ship Perl binary extensions or source modules, along with documentation. There are no binaries, services, recurring jobs.
[Quality assurance - function/usage]
The packages can be correctly imported in a Perl script after installation.
[Quality assurance - maintenance]
The packages are maintainted well in Debian, as they are under the umbrella of the Perl team.
Most don't have any open bugs:
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
The libobject-pad-perl package has one bug opened:
https:/
https:/
https:/
The issue described in the bug doesn't seem to be triggered by the test suite anymore.
[Quality assurance - testing]
The packages all include a test suite that is run both at runtime and as
autopkgtests.
[Quality assurance - packaging]
ALl packages has watchfiles that work.
They appear relatively lintian-clean, with some more warnings to the
libunicode* packages due to the packaging not having been refreshed in a while.
None of them have any overrides.
Link to the Lintian runs on Debian (relevant as there are no Ubuntu delta):
https:/
https:/
https:/
https:/
https:/
These packages do not rely on obsolete or about to be demoted packages.
These packages have no python2 or GTK2 dependencies
The packages will not be installed by default
Packaging and build are easy:
https:/
https:/
https:/
https:/
The packaging for libunicode-
https:/
[UI standards]
These are not applications but runtime dependencies.
[Dependencies]
No further depends or recommends dependencies that are not yet in main
[Standards compliance]
These packages correctly follow FHS and Debian Policy.
[Maintenance/Owner]
Owning Team will be Foundations
Team is not yet, but will subscribe to the packages before promotion
These do not use static builds
These do not use vendored code
All packages were successfully built during the most recent test rebuild (Jammy
20220317), and those that have been updated since also built successfully.
[Background information]
ALl packages are fairly self-contained Perl modules packaged from CPAN:
https:/
https:/
https:/
https:/
https:/
Changed in libindirect-perl (Ubuntu): | |
status: | New → Incomplete |
Changed in libxs-parse-sublike-perl (Ubuntu): | |
status: | New → Incomplete |
Changed in libunicode-escape-perl (Ubuntu): | |
status: | New → Incomplete |
Changed in libunicode-string-perl (Ubuntu): | |
status: | New → Incomplete |
description: | updated |
tags: | added: fr-2361 |
description: | updated |
description: | updated |
Changed in libindirect-perl (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in libobject-pad-perl (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in libunicode-escape-perl (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in libunicode-string-perl (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in libxs-parse-sublike-perl (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in libindirect-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in libobject-pad-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in libunicode-escape-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in libunicode-string-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in libxs-parse-sublike-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in licensecheck (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
tags: | added: update-excuse |
Changed in sphinx (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
tags: | added: rls-kk-incoming |
Changed in libindirect-perl (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in libobject-pad-perl (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in libxs-parse-sublike-perl (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in sphinx (Ubuntu): | |
status: | New → Invalid |
Changed in licensecheck (Ubuntu): | |
status: | New → Invalid |
Review for Package: libindirect-perl
[Summary]
MIR team ACK
This does not need a security review
List of specific binary packages to be promoted to main: libindirect-perl
Specific binary packages built, but NOT to be promoted to main: n/a
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main
Problems: None
[Security]
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems:
- does parse data formats (usually code in the current use, but not arbitrary
and low attack surface)
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- no special HW needed
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Debian/Ubuntu update history is slow (matching upstream)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
Problems:
- Upstream update history is slow, not sure how much we can rely on it.
Those kind of packages often are without being a problem, but we have to
be clear this seems like a non (much) active upstream.
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (perl only)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems: None