[Summary] MIR Team Ack to this small, useful and well maintained library. This does not need a security review, so I'll mark it "In Progress". Once the changes pulling this in are made please set it to "Fix Committed" and get an Archive Admin involved to resolve the promotion. List of specific binary packages to be promoted to main: - bin:libmanette-0.2-0 - src:libmanette Will also auto-promote (unless we opt-out): - bin:gir1.2-manette-0.2 - bin:libmanette-0.2-dev Required TODOs: - decide and let us know if -dev pulling in gir1.2-manette-0.2 is ok for you. - please fix d/watch Recommended TODOs: - make dh_missing failing as it enforces attention if anything gets missing by accident [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this Problems: The -dev package will be auto-promoted as well which isn't a big issue as all external dependencies are in main already. But it would also pull in gir1.2-manette-0.2 You mentioned you didn't intend to promote that, please decide if a) you explicitly do not want to promote gir1.2-manette-0.2, then create a rule in the seeds to prevent the auto-inclusion of the -dev package b) you are ok with gir1.2-manette-0.2 to be promoted as well, then no further action is needed [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats - one could argue that it parses data sent from the game controllers. But TBH that alone isn't enough to make this require a security review (and I don't see anything else). The raw low level parsing is done by lower libs mostly anyway and one needs local access to make use of it. Also general quality seems good and no known (past) related CVEs exist. IMHO this can be completed without an additional security review. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest (slightly superficial but ok) - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider in that regard [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using - is not on the lto-disabled list Problems: - d/watch is present but currently dysfunctional - since you might miss updates fixing that should be done before promotion. - dh_missing is non-fatal, that could be helpful to be switched [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks