Comment 7 for bug 1977959

[Summary]
MIR review for libisofs
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libisofs-dev, libisofs-doc, libisofs6

Notes:
Required TODOs:
- Symbol tracking is not in place for libisofs. Please add some tracking for the libburn symbols.
Recommended TODOs:
- This package have more lintian issues than others (and not only pendatic ones). As previously, warnings are always asking for more warnings IMHO and those are really easy to fix (files in debian/copyright that are not present). Can we clean them?
- The package should get a team bug subscriber before being promoted

[Duplication]
libisoburn/libisofs/libburn will replace genisoimage usage in main.

[Dependencies]
OK:
- no other Dependencies to MIR due to this.
- libburn checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries

OK:
- not a go package, no extra constraints to consider in that regard

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

[Common blockers]
OK:
- does not FTBFS currently
- does rely on libisoburn releng non-trivial test suite that runs as autopkgtest for both build test and package test.
- no new python2 dependency

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- d/watch is present and looks ok
- Upstream update history is slow (but acceptable for this kind of project due to the history)
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- Several lintian warnings that ought to be simple to fix. I think we should have a lintian-clean package (excluding pedantic) at least.
- symbol tracking is not in place for libburn and only rely on shlibs. Any reason to not have a real symbol tracking?

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests).
- no use of user nobody
- use of setuid possible, but ok because in cdrskin which we don’t consider and not by default.
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but not needed.