| 2023-06-15 08:06:51 |
Bryce Harrington |
bug |
|
|
added bug |
| 2023-06-30 23:49:33 |
Bryce Harrington |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
* libdbix-simple-perl: universe
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and builds for its target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
TBD
[Quality assurance - function/usage]
TBD
[Quality assurance - maintenance]
TBD
[Quality assurance - testing]
TBD
[Quality assurance - packaging]
TBD
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libdbd-sqlite3-perl: universe ###
This existed in main in 2013 (Trusty), but was subsequently demoted. Its original promotion was via LP: #196145.
This has no dependencies from universe.
### libdbix-simple-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad, except one sync request to update it in 2017.
This has Recommends on three universe packages: libobject-accessor-perl, libsql-abstract-perl, libtext-table-perl
Since those recursively depend on additional perl modules in universe, it may be worth moving those to Suggests.
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004 |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
* libdbix-simple-perl: universe
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libdbd-sqlite3-perl: universe ###
This existed in main in 2013 (Trusty), but was subsequently demoted. Its original promotion was via LP: #196145.
This has no dependencies from universe.
### libdbix-simple-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad, except one sync request to update it in 2017.
This has Recommends on three universe packages: libobject-accessor-perl, libsql-abstract-perl, libtext-table-perl
Since those recursively depend on additional perl modules in universe, it may be worth moving those to Suggests.
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-06-30 23:50:19 |
Bryce Harrington |
bug |
|
|
added subscriber MIR approval team |
| 2023-06-30 23:51:45 |
Bryce Harrington |
libmail-dmarc-perl (Ubuntu): status |
Incomplete |
New |
|
| 2023-07-06 08:45:15 |
Miriam España Acebal |
libmail-dmarc-perl (Ubuntu): assignee |
|
Miriam España Acebal (mirespace) |
|
| 2023-07-06 09:42:13 |
Christian Ehrhardt |
libmail-dmarc-perl (Ubuntu): status |
New |
Incomplete |
|
| 2023-08-02 13:51:12 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
* libdbix-simple-perl: universe
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libdbd-sqlite3-perl: universe ###
This existed in main in 2013 (Trusty), but was subsequently demoted. Its original promotion was via LP: #196145.
This has no dependencies from universe.
### libdbix-simple-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad, except one sync request to update it in 2017.
This has Recommends on three universe packages: libobject-accessor-perl, libsql-abstract-perl, libtext-table-perl
Since those recursively depend on additional perl modules in universe, it may be worth moving those to Suggests.
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libdbix-simple-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad, except one sync request to update it in 2017.
This has Recommends on three universe packages: libobject-accessor-perl, libsql-abstract-perl, libtext-table-perl
Since those recursively depend on additional perl modules in universe, it may be worth moving those to Suggests.
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-08 09:40:28 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libdbix-simple-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad, except one sync request to update it in 2017.
This has Recommends on three universe packages: libobject-accessor-perl, libsql-abstract-perl, libtext-table-perl
Since those recursively depend on additional perl modules in universe, it may be worth moving those to Suggests.
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-09 13:52:38 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-10 07:52:28 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-mime-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
This has some further universe dependencies:
* libemail-mime-perl
- libemail-messageid-perl
- libemail-mime-contenttype-perl
- libemail-mime-encodings-perl
- libemail-simple-perl
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-10 10:06:01 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-10 11:23:26 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-11 12:33:48 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-16 06:54:59 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-08-16 07:39:46 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-09-01 11:03:36 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmodule-pluggable-perl: universe
- libmro-compat-perl: universe (Already listed above)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmodule-pluggable-perl
- libmro-compat-perl (See above)
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-09-26 09:01:53 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libemail-sender-perl: universe ###
This has been in the archive since at least 2013. It's never had a bug filed against it in Launchpad.
* libemail-sender-perl
- libemail-abstract-perl
+ libemail-simple-perl
+ libmodule-pluggable-perl
+ libmro-compat-perl
• libclass-c3-perl
◦ libalgorithm-c3-perl
◦ libclass-c3-xs-perl (Recommends)
• libclass-c3-xs-perl (Recommends)
- libemail-simple-perl
- libmoox-types-mooselike-perl
- libscalar-list-utils-perl
- libthrowable-perl
+ libmoose-perl (Recommends)
• <several>
Since libmoose-perl pulls in more universe packages, but is just a Recommends, we could drop it to Suggests instead.
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-09-26 09:10:21 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-09-26 11:42:40 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
+ libemail-simple-perl: universe
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-09-28 10:00:11 |
Christian Ehrhardt |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libemail-simple-perl: universe
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-09-28 10:10:18 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-10-05 22:52:38 |
Miriam España Acebal |
attachment added |
|
libmail-dmarc-perl-split.debdiff https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971/+attachment/5707202/+files/libmail-dmarc-perl-split.debdiff |
|
| 2023-10-16 08:39:43 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-idn-encode-perl: universe ###
This has been in the archive since at least 2013. It had a MIR accepted in 2015 for Xenial (see LP: #1494890) but appears to have demoted back to universe around Xenial's release.
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-10-16 14:46:45 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-10-16 14:48:12 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-ip-perl: universe ###
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-10-17 11:30:49 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libregexp-common-perl: universe ###
This was in main from Natty to Xenial EOL (2013-2018), and has never had bugs reported against it in Launchpad
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-10-17 12:23:47 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libfile-sharedir-perl: universe ###
This existed in main in 2013 (Trusty), but was demoted after that.
No depends from universe.
* libfile-sharedir-perl
+ libclass-inspector-perl
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-10-17 13:02:11 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-11-13 12:35:23 |
Miriam España Acebal |
description |
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this requires the following runtime binary dependencies:
Only listing on first occurrence
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
◦ libclass-c3-xs-perl: universe (Recommends)
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libclass-tiny-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
These are all relatively trivial Perl modules, many of which have been in main previously, and do not appear worth filing individual MIRs on, so will be covered as a set here in this bug.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package, and requires it in order to perform this DMARC evaluation. libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
A recursive listing of binary universe depends needing promoted is summarized above; below is some per-package analysis of each of the principle universe dependencies
### libnet-imap-simple-perl: universe ###
This has been in the archive since 2006, but has never been in main. It's only had one bug ever reported against it (back in 2010). This is just a Recommends so could be excluded.
* libnet-imap-simple-perl (Recommends)
- libparse-recdescent-perl (Recommends)
### libnet-smtps-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it.
This is just a Recommends so could be excluded.
### libtest-file-sharedir-perl: universe ###
This has been in the archive since 2015, but never in main. It's never had bugs reported against it in Launchpad.
* libtest-file-sharedir-perl
- libclass-tiny-perl
- libfile-copy-recursive-perl
- libfile-sharedir-perl
+ libclass-inspector-perl
- libscope-guard-perl
### libtest-output-perl: universe ###
This has been in the archive since 2009, and was in main from Precise to Wily EOL (2011-2018) and demoted in Xenial. See MIR bug LP: # 878004
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
[NEW description DRAFT- WIP: updated the 11 packages that need to be promoted only (yes), revamping the other sections (wip)]
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see original description if needed).
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassasin only uses the validation feaure of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11):
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassasin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. However, is true that it also could use the save_aggregate function if the dmarc_save_reports variable is set through mail-dmarc.ini to 1 (defaults is 0 [4], and also in the ini file [5]). That function will need the Mail::DMARC::Report::Store module and the Mail::DMARC::Report::URI module.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n111)
[5] (https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/share/mail-dmarc.ini#n21)
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
|
| 2023-11-14 21:22:19 |
Bryce Harrington |
libmail-dmarc-perl (Ubuntu): importance |
Undecided |
High |
|
| 2023-11-24 10:00:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~mirespace/+git/team-subscriptions/+merge/456236 |
|
| 2023-12-05 14:44:00 |
Miriam España Acebal |
description |
[NEW description DRAFT- WIP: updated the 11 packages that need to be promoted only (yes), revamping the other sections (wip)]
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see original description if needed).
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassasin only uses the validation feaure of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11):
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassasin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. However, is true that it also could use the save_aggregate function if the dmarc_save_reports variable is set through mail-dmarc.ini to 1 (defaults is 0 [4], and also in the ini file [5]). That function will need the Mail::DMARC::Report::Store module and the Mail::DMARC::Report::URI module.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n111)
[5] (https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/share/mail-dmarc.ini#n21)
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified. |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
<TODO: Examples of rejection>
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
|
| 2023-12-05 14:48:57 |
Miriam España Acebal |
description |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
<TODO: Examples of rejection>
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
|
| 2023-12-05 14:54:45 |
Miriam España Acebal |
libmail-dmarc-perl (Ubuntu): status |
Incomplete |
New |
|
| 2023-12-05 15:08:13 |
Miriam España Acebal |
description |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet. For manual testing, you can get the eml messages from this commit:
https://git.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/commit/?id=feb85cd6f97508c98bdeb732fe25f876f33790d4
where d/t/data/nice contains messages that qualifies as PASS due to the DMARC rules (DMARC_PASS) and d/t/data/spam contains messages that are market as REJECT, QUARENTINE, MISSING or NONE.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
|
| 2023-12-05 15:18:17 |
Miriam España Acebal |
libmail-dmarc-perl (Ubuntu): assignee |
Miriam España Acebal (mirespace) |
|
|
| 2023-12-05 15:53:22 |
Lukas Märdian |
libmail-dmarc-perl (Ubuntu): assignee |
|
Ioanna Alifieraki (joalif) |
|
| 2023-12-12 17:21:44 |
Miriam España Acebal |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058492 |
|
| 2024-02-01 12:03:07 |
Miriam España Acebal |
description |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet. For manual testing, you can get the eml messages from this commit:
https://git.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/commit/?id=feb85cd6f97508c98bdeb732fe25f876f33790d4
where d/t/data/nice contains messages that qualifies as PASS due to the DMARC rules (DMARC_PASS) and d/t/data/spam contains messages that are market as REJECT, QUARENTINE, MISSING or NONE.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
-----
Dependency status update (Feb 01, 2024):
On Feb 1, the needed packages to be promoted to main and the their status is:
* libmail-dmarc-perl (this bug): bug 2023971, New, Ioanna assigned: pending review, package to be tested at [1] with all the changes required in the other MIR bugs, and the dependency splitting.
* libemail-simple-perl: bug 2031491, New, assigned security team : conditional ACK from security team by George-Andrei Iosif (iosifache)
-> maintenance by Server Team if we lack upstream support
-> ask for demotion (in the future) if another package is a more
suitable can be used as an alternative
* libfile-sharedir-perl: bug 2039566 , In progress, unassigned -> ACK by slyon, all TODOS done.
- libclass-inspector-perl: bug 2039569 , Fix commited, unassigned -> ACK by Didier, All todos done
* libnet-ip-perl: bug 2039456 , In progress, unassigned -> ACK by Ioanna, All todos done
* libregexp-common-perl: bug 2039563 , Fix commited, unassigned-> ACK by Didier, All todos done
[1] https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested/+sourcepub/15684761/+listing-archive-extra
-----
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet. For manual testing, you can get the eml messages from this commit:
https://git.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/commit/?id=feb85cd6f97508c98bdeb732fe25f876f33790d4
where d/t/data/nice contains messages that qualifies as PASS due to the DMARC rules (DMARC_PASS) and d/t/data/spam contains messages that are market as REJECT, QUARENTINE, MISSING or NONE.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
|
| 2024-02-01 12:11:53 |
Miriam España Acebal |
description |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
-----
Dependency status update (Feb 01, 2024):
On Feb 1, the needed packages to be promoted to main and the their status is:
* libmail-dmarc-perl (this bug): bug 2023971, New, Ioanna assigned: pending review, package to be tested at [1] with all the changes required in the other MIR bugs, and the dependency splitting.
* libemail-simple-perl: bug 2031491, New, assigned security team : conditional ACK from security team by George-Andrei Iosif (iosifache)
-> maintenance by Server Team if we lack upstream support
-> ask for demotion (in the future) if another package is a more
suitable can be used as an alternative
* libfile-sharedir-perl: bug 2039566 , In progress, unassigned -> ACK by slyon, all TODOS done.
- libclass-inspector-perl: bug 2039569 , Fix commited, unassigned -> ACK by Didier, All todos done
* libnet-ip-perl: bug 2039456 , In progress, unassigned -> ACK by Ioanna, All todos done
* libregexp-common-perl: bug 2039563 , Fix commited, unassigned-> ACK by Didier, All todos done
[1] https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested/+sourcepub/15684761/+listing-archive-extra
-----
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet. For manual testing, you can get the eml messages from this commit:
https://git.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/commit/?id=feb85cd6f97508c98bdeb732fe25f876f33790d4
where d/t/data/nice contains messages that qualifies as PASS due to the DMARC rules (DMARC_PASS) and d/t/data/spam contains messages that are market as REJECT, QUARENTINE, MISSING or NONE.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
[MIR] libmail-dmarc-perl
Package: libmail-dmarc-perl
-----
Dependency status update (Feb 01, 2024):
On Feb 1, the six needed packages to be promoted to main and their bug status are:
* libmail-dmarc-perl (this bug): bug 2023971, New, Ioanna assigned: pending review, package to be tested at [1] with all the changes required in the other MIR bugs, and the dependency splitting.
* libemail-simple-perl: bug 2031491, New, assigned security team : conditional ACK from security team by George-Andrei Iosif (iosifache)
-> maintenance by Server Team if we lack upstream support
-> ask for demotion (in the future) if another package if a more
suitable can be used as an alternative
* libfile-sharedir-perl: bug 2039566 , In progress, unassigned -> ACK by slyon, all TODOS done.
* libclass-inspector-perl: bug 2039569 , Fix commited, unassigned -> ACK by Didier, All todos done
* libnet-ip-perl: bug 2039456 , In progress, unassigned -> ACK by Ioanna, All todos done
* libregexp-common-perl: bug 2039563 , Fix commited, unassigned-> ACK by Didier, All todos done
[1] https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested/+sourcepub/15684761/+listing-archive-extra
-----
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see [Dependencies] section for detailed dependencies tree) .
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassassin only uses the validation feature of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11), which I propose for promotion instead of the complete dependencies tree:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl is already in Ubuntu universe.
The package libmail-dmarc-perl builds for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 (all)
Link to package https://launchpad.net/ubuntu/+source/libmail-dmarc-perl
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") [0] is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassassin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. It means that Spamassasin only uses by default the DMARC's validation feature, and optionally the DMARC's Reporting feature.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar [4] but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[0] (https://dmarc.org/)
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023606)
[Security]
No CVEs/security issues in this software in the past:
- (0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libmail-dmarc-perl
- (0) https://ubuntu.com/security/cves?q=&package=libmail-dmarc-perl
- (0) https://security-tracker.debian.org/tracker/source-package/libmail-dmarc-perl
Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs, but contains an example of a cron job for updating the public_suffix_list (https://publicsuffix.org/).
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package contains extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...): It is the basis for the DMARC plugin of spamassassin, implementing the DMARC policy validation (and reporting).
Upstream's source code includes the build of a web server (dmarc_httpd) and an HTTP client (dmarc_http_client), but these binaries are not installed in the debian package (they are suppressed on build time for autoinstallation).
[Quality assurance - function/usage]
The package works well right after installed with its required installation dependencies.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
Processing of emails by spamassassin using its DMARC plugin that uses libmail-dmarc-perl validation function was tested also grabbing an email (i.e, from gmail) and doing:
$ spamc -R < message-mattermost-hey.eml | grep DMARC
-0.0 DMARC_PASS DMARC pass policy
also, non pass results with an already classified as spam mail (by gmail, cleaning the header):
0.9 DMARC_NONE DMARC none policy
or introducing typos to malform domains/header:
0.0 DMARC_MISSING Missing DMARC policy
For rejection examples, we use the data from spamassassin's test, and we can see:
root@Mspamassasin-suggested:~# l spam_mails/
nodmarc.eml noneko.eml quarko.eml rejectko.eml strictrejectko.eml
root@Mspamassasin-suggested:~# spamc -R < spam_mails/rejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/strictrejectko.eml | grep DMARC
1.8 DMARC_REJECT DMARC reject policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/quarko.eml | grep DMARC
1.2 DMARC_QUAR DMARC quarantine policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/nodmarc.eml | grep DMARC
0.0 DMARC_MISSING Missing DMARC policy
root@Mspamassasin-suggested:~# spamc -R < spam_mails/noneko.eml | grep DMARC
0.9 DMARC_NONE DMARC none policy
I'm working on an autopkgtest that covers this: The code is uploaded but not working yet. For manual testing, you can get the eml messages from this commit:
https://git.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/commit/?id=feb85cd6f97508c98bdeb732fe25f876f33790d4
where d/t/data/nice contains messages that qualifies as PASS due to the DMARC rules (DMARC_PASS) and d/t/data/spam contains messages that are market as REJECT, QUARENTINE, MISSING or NONE.
The specific test on spamassassin for DMARC (t/dmarc.t) was also run successfully (without the implicit net tests on this file):
$ make test TEST_FILES="t/dmarc.t"
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP
mkrules: no rules updated
"/usr/bin/perl" build/preprocessor -Mvars -DVERSION="4.000000" -DPREFIX="/usr/local" -DDEF_RULES_DIR="/usr/local/share/spamassassin" -DLOCAL_RULES_DIR="/etc/mail/spamassassin" -DLOCAL_STATE_DIR="/var/lib/spamassassin" -DINSTALLSITELIB="/usr/local/share/perl/5.36.0" -DCONTACT_ADDRESS="the administrator of that system" -DRE2C_BIN="re2c" -Msharpbang -Mconditional -DPERL_BIN=""/usr/bin/perl"" -DPERL_WARN="" -DPERL_TAINT="" -m755 -isa-update.raw -osa-update
cp sa-update blib/script/sa-update
"/usr/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/sa-update
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/dmarc.t
t/dmarc.t .. Nov 3 12:36:16.977 [8195] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 1/18 Nov 3 12:36:18.906 [8197] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 3/18 Nov 3 12:36:21.247 [8199] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 5/18 Nov 3 12:36:23.737 [8201] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 7/18 Nov 3 12:36:26.153 [8203] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 9/18 Nov 3 12:36:29.117 [8205] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 11/18 Nov 3 12:36:32.796 [8207] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 13/18 Nov 3 12:36:35.338 [8209] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. 15/18 Nov 3 12:36:37.374 [8211] warn: deprecated method; size() is an alias of "UDPsize()" at ../blib/lib/Mail/SpamAssassin/DnsResolver.pm line 602.
t/dmarc.t .. ok
All tests successful.
Files=1, Tests=18, 31 wallclock secs ( 0.02 usr 0.00 sys + 12.18 cusr 0.88 csys = 13.08 CPU)
Result: PASS
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug
- Debian (0) https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmail-dmarc-perl
- Upstream's bug tracker (4) https://github.com/msimerson/mail-dmarc/issues
+ Upstream's repo last activity: https://github.com/msimerson/mail-dmarc/issues
- last commit: in master, Oct 25, 2023
- Issues without answer: 2
- Updated issue/PR: Oct 25, 2023
- last fixed/closed/merged issue: Oct 25, 2023
- last merged PR: Oct 25, 2023
The package has one important/old open bugs on upstream: Invalid XML in generated reports, https://github.com/msimerson/mail-dmarc/issues/190
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz :
Creating new 'Build' script for 'Mail-DMARC' version '1.20230215'
dh_auto_build
/usr/bin/perl Build
Building Mail-DMARC
dh_auto_test
/usr/bin/perl Build test --verbose 1
The package doesn't run an autopkgtest.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Noah Meyerhans <noahm@debian.org> ( https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/control#n2)
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https://launchpadlibrarian.net/677780063/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libmail-dmarc-perl changes: bad-distribution-in-changes-file noble
W: libmail-dmarc-perl: changelog-distribution-does-not-match-changes-file unstable != noble [usr/share/doc/libmail-dmarc-perl/changelog.Debian.gz:1]
W: libmail-dmarc-perl changes: distribution-and-changes-mismatch noble unstable
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Report::Receive.3pm.gz:162]
I: libmail-dmarc-perl: typo-in-manual-page messsage message [usr/share/man/man3/Mail::DMARC::Result.3pm.gz:184]
P: libmail-dmarc-perl: repeated-path-segment share [usr/share/perl5/auto/share/]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: application-in-library-section perl [usr/bin/dmarc_view_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_lookup]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_receive]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_send_reports]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_update_public_suffix_list]
X: libmail-dmarc-perl: library-package-name-for-application [usr/bin/dmarc_view_reports]
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libmail-dmarc-perl_1.20230215-1.dsc
I: libmail-dmarc-perl source: out-of-date-standards-version 4.6.0 (released 2021-08-18) (current is 4.6.2)
X: libmail-dmarc-perl source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: libmail-dmarc-perl source: libmodule-build-perl-needs-to-be-in-build-depends
X: libmail-dmarc-perl source: update-debian-copyright 2022 vs 2023 [debian/copyright:11]
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/debian/rules
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
As exposed at the beginning, this package needed initially +-44 MIR bugs (depending on the processing of the Recommends ones).
This is the original dependency tree, only listing on first occurrence:
* libdbd-sqlite3-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbd-sqlite3-perl/+bug/2029379
* libdbix-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libdbix-simple-perl/+bug/2030731
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libemail-sender-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-sender-perl/+bug/2037389
- libemail-abstract-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-abstract-perl/+bug/2037405
+ libmodule-pluggable-perl: universe
+ libmro-compat-perl: universe
• libclass-c3-perl: universe
◦ libalgorithm-c3-perl: universe
• libclass-c3-xs-perl: universe (Recommends)
- libmoox-types-mooselike-perl: universe
- libscalar-list-utils-perl: universe
- libthrowable-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libthrowable-perl/+bug/2037392
+ libmoose-perl: universe (Recommends)
• libclass-load-perl: universe
• libclass-load-xs-perl: universe
• libdevel-globaldestruction-perl: universe
• libdevel-overloadinfo-perl: universe
• libeval-closure-perl: universe
◦ libdevel-lexalias-perl: universe (Recommends)
· libdevel-caller-perl: universe
·· libpadwalker-perl: universe
• libmodule-runtime-conflicts-perl: universe
◦ libdist-checkconflicts-perl: universe
• libpackage-deprecationmanager-perl: universe
◦ libscalar-list-utils-perl: universe
• libdevel-partialdump-perl: universe (Recommends)
◦ libclass-tiny-perl: universe
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-imap-simple-perl: universe (Recommends)
- libparse-recdescent-perl: universe (Recommends)
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libnet-smtps-perl: universe
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
* libtest-file-sharedir-perl: universe
- libfile-copy-recursive-perl: universe
- libfile-sharedir-perl: universe
+ libclass-inspector-perl: universe
- libscope-guard-perl: universe
* libtest-output-perl: universe
But, attending on how spamassassin works -explained above-, I believe we can split these dependencies in dependencies used by the reporting feature and dependencies used by validation feature. Walking this way,
the dependencies used in validation remains as needed runtime binary dependencies, and the dependencies used in reporting goes to suggested runtime dependencies. Therefore, only 11 packages would need to go
through the MIR process to satisfy libmail-dmarc-perl dependencies:
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
a package following this scheme was built and it is available for testing on mantic here:
ppa:mirespace/libmail-dmarc-perl-suggested
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dmarc-perl-suggested
and the debdiff (for noble now) is here: https://pastebin.ubuntu.com/p/2kW5HwSsCq/ .
Note that, in this package, there is a suppression of a perl library (on main) that I suspect is not needed, as the package builds well and tests passed also. I opened this question to upstream (https://github.com/msimerson/mail-dmarc/issues/215).
Also, there is this MP (https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dmarc-perl/+git/libmail-dmarc-perl/+merge/456713) opened for tracking changes to the package. For the moment, apart from the split, we have:
- refactor for not using libemail-mime-perl (done)
- adding autopkgtest for validating the splitting (wip)
This package passes all the tests explained in the [Quality assurance - function/usage] section.
[Standards compliance]
This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
Owning Team will be the Ubuntu Server Team, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild : https://launchpad.net/ubuntu/+archive/test-rebuild-20230830-mantic/+build/26600016/+files/buildlog_ubuntu-mantic-amd64.libmail-dmarc-perl_1.20230215-1_BUILDING.txt.gz
[Background information]
The Package description explains the package well.
Upstream Name is Mail-DMARC .
Link to upstream project https://metacpan.org/release/Mail-DMARC
About SSLeay (https://github.com/msimerson/mail-dmarc/issues/215) and for the moment I keep the library on the dependencies,
but libhttp-tiny-perl is not in use by the debian package because that is provided by perl package itself, so I'm wondering about it yet.
This has been in the archive since this year (Lunar, 1.20211209-1). |
|
| 2024-02-13 21:08:25 |
Ioanna Alifieraki |
bug watch added |
|
https://github.com/msimerson/mail-dmarc/issues/190 |
|
| 2024-02-13 21:09:56 |
Ioanna Alifieraki |
libmail-dmarc-perl (Ubuntu): status |
New |
Incomplete |
|
| 2024-02-13 21:10:00 |
Ioanna Alifieraki |
libmail-dmarc-perl (Ubuntu): assignee |
Ioanna Alifieraki (joalif) |
|
|
| 2024-02-20 15:35:59 |
Christian Ehrhardt |
libmail-dmarc-perl (Ubuntu): assignee |
|
Miriam España Acebal (mirespace) |
|
| 2024-02-21 13:57:12 |
Miriam España Acebal |
libmail-dmarc-perl (Ubuntu): assignee |
Miriam España Acebal (mirespace) |
|
|
| 2024-02-22 16:20:31 |
Ioanna Alifieraki |
libmail-dmarc-perl (Ubuntu): assignee |
|
Ubuntu Security Team (ubuntu-security) |
|
| 2024-02-22 22:45:17 |
Mark Esler |
tags |
mantic |
mantic sec-3890 |
|
| 2024-03-21 08:15:41 |
Miha Purg |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062 |
|
| 2024-03-21 08:15:41 |
Miha Purg |
bug watch added |
|
https://github.com/msimerson/mail-dmarc/issues/216 |
|
| 2024-03-26 20:48:10 |
Miha Purg |
bug |
|
|
added subscriber Miha Purg |
| 2024-03-28 15:55:39 |
Miha Purg |
bug watch added |
|
https://github.com/msimerson/mail-dmarc/issues/121 |
|
| 2024-03-28 15:55:39 |
Miha Purg |
bug watch added |
|
https://github.com/rjbs/Email-MIME/issues/66 |
|
| 2024-03-28 15:55:39 |
Miha Purg |
bug watch added |
|
https://github.com/msimerson/mail-dmarc/issues/234 |
|
| 2024-03-28 15:55:39 |
Miha Purg |
bug watch added |
|
https://github.com/msimerson/mail-dmarc/issues/231 |
|
| 2024-03-28 15:55:39 |
Miha Purg |
bug watch added |
|
https://github.com/msimerson/mail-dmarc/issues/233 |
|
| 2024-03-28 15:56:10 |
Miha Purg |
libmail-dmarc-perl (Ubuntu): status |
Incomplete |
In Progress |
|
| 2024-03-28 15:56:14 |
Miha Purg |
libmail-dmarc-perl (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2024-04-09 15:03:15 |
Lukas Märdian |
libmail-dmarc-perl (Ubuntu): status |
In Progress |
Incomplete |
|
| 2024-04-17 07:44:42 |
Christian Ehrhardt |
libmail-dmarc-perl (Ubuntu): status |
Incomplete |
Fix Committed |
|
| 2024-04-17 08:36:19 |
Christian Ehrhardt |
libmail-dmarc-perl (Ubuntu): status |
Fix Committed |
Fix Released |
|
