Comment 5 for bug 1853175

[Summary]
- All looks pretty straight forward, MIR Team ack
- Needs security review (assigned)

[Duplication]
Many libmail-*-perl but no duplicate in main already

[Embedded sources and static linking]
- no embedded sources
- no (static) linking (perl)

[Security]
- no history of CVEs
- no daemon as root
- doesn't use webkit1,2
- doesn't use lib*v8 directly
- doesn't opens a port
- doesn't processe arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- doesn't deal with system authentication (eg, pam), etc)

But it
- parses data formats (the mail auth response)
- it also is a very minor part of authentication in some sort (not system auth at all, but interpreting mail auth)

Parsing headers that can be externally crafted is security sensitive, assigning security for a review as well.

[Common blockers]
- no FTBFS issues
- tests are present and run at build time
- no translation, but also not user visible
- no python package for further constraints on that

[Packaging red flags]
- no Ubuntu delta atm
- perl has no symbols tracking
- d/watch is ok
- regularly updated in Debian
  - but it is rather new since August 2019, so we don't have much data to know that in the long run
- the current release is packaged
- not causing a MOTU problem
- a few, but no massive Lintian warnings
- d/rules is as small as it can be
- no golang constraints to consider
- Desktop team is already subscribed
- no further dependencies not in main

[Upstream red flags]
- no Errors/warnings during the build
- no incautious use of malloc/sprintf
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of User nobody
- no use of setuid
- no known Important bugs (crashers, etc) in Debian or Ubuntu
- no Dependency on webkit, qtwebkit, seed or libgoa-*
- not part of UI design