[MIR] libio-interactive-perl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libio-interactive-perl (Ubuntu) |
Fix Released
|
Undecided
|
Olivier Gayot |
Bug Description
[Availability]
The package libio-interacti
The package libio-interacti
It currently builds and works for architectures: <all> (perl package)
Link to package [[https:/
[Rationale]
- The package libio-interacti
- The package libio-interacti
our user base, but is important/helpful still because it is a requirement for licensecheck
- The package libio-interacti
we already support
[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries (it's a Perl library)
- no executables in `/sbin` and `/usr/sbin` (it's a Perl library)
- Package does not install services
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The upstream appears to be somewhat active and the package is maintained by
the Debian perl team.
- The package has no long term critical bugs open
- Ubuntu https:/
- Debian https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log
https:/
- The package runs an autopkgtest, and is currently passing on
this amd64 list of architectures, link to test logs
https:/
- The package declares the autopkgtest-
- The package does have no failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- This package does not yield massive lintian Warnings, Errors
- Lintian overrides are not present
- Output of lintian --pedantic:
W: libio-interacti
W: libio-interacti
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy.
- Content of d/rules:
#!/usr/bin/make -f
%:
dh $@
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
- Only concern is a warning reported by lintian --pedantic:
W: libio-interacti
W: libio-interacti
[Maintenance/Owner]
- Owning Team will be Foundations team (to be confirmed)
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
[Background information]
The Package description explains the package well
Upstream Name is IO-Interactive
Link to upstream project https:/
Changed in libio-interactive-perl (Ubuntu): | |
status: | Incomplete → New |
Changed in libio-interactive-perl (Ubuntu): | |
status: | New → Incomplete |
description: | updated |
Changed in libio-interactive-perl (Ubuntu): | |
status: | Incomplete → New |
Changed in libio-interactive-perl (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in libio-interactive-perl (Ubuntu): | |
assignee: | nobody → Olivier Gayot (ogayot) |
Review for Package: libio-interacti ve-perl
[Summary]
MIR team ACK
This package is very small, well maintained, does not seem to need a lot of
attention. And with 4 autopkgtest and 16 build time tests for - after
subtracting the boilerplate - mabye 60 lines of code it is also well covered.
Imagine that ratio of 1 test per 3 LOC for every project.
This does not need a security review
List of specific binary packages to be promoted to main: libio-interacti ve-perl
Specific binary packages built, but NOT to be promoted to main: <none>
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
Problems: None
[Security]
RULE: - Determine if the package may have security implications or history.
RULE: Err on the side of caution.
RULE: - If the package is security sensitive, you should review as much as you
RULE: can and then assign to the ubuntu-security team. The bug will then be
RULE: added to the prioritized list of MIR security reviews.
OK:
- history of CVEs does not look concerning (none)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems: None
[Common blockers] pkg-perl
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
TBH It is rather simple but matching the library and run via
autopkgtest-
- no special HW required
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is slow but ok (not much code)
- Debian/Ubuntu update history is slow but ok (not much code)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean (as clean as possible)
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (perl)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid
- use of setuid, but ok because <TBD> (prefer systemd to set those
for services)
- no important open bugs (crashers, etc) in Debian or Ubuntu (...