[Summary] MIR team Ack, a very small and clean python lib. But this one has a few todos we need to resolve before/after promotion: TODO ASAP: - For 20.04 we really should consider going ahead to the much newer 1.5.2 => https://github.com/maxmind/MaxMind-DB-Reader-python/releases @andreas will you take a look at this, just as you did with the other related package that was slightly outdated? - ask Josh to subscribe server-team to this pkg as well TODO long-term: - I'd wonder if we can get a security review (on all of these) in the long run but not gating the MIR for now - details below? - Debian updates a bit slowly, we might need to do the monitoring and updating on this one - @Andreas is that ok for you to do that along e.g. bind9 merges? [Duplication] While python3-geoip2 was for the API this package python-maxminddb is a python interface for reading the MaxMind DB. I don't see a package in main doing that already. No duplication issue. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion - doc depends only on libjs-sphinxdoc which is in main already [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does parse data formats There are two ways it can operate. It can either do the processing in its python code or has a C extension - but that extension only is a shim to pass to the libmaxminddb0 code. That way - as with the other packages in this context it does fairly minimal things and has despite its age no CVE history at all. I have revisited the parsing in all the packages int his MIR, I still think it is fairly minimal and does not need a "gating security review". But on the long run - once the 20.04 dust settles - it might be good to have one eventually. @Andreas could you after resolving this ask security if they could do an informal security review on the packages in this MIR? [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. seem good enough for this package - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python package, no extra constraints to consider int hat regard - no new python2 dependency - Python package that is using dh_python Problem: - does not have a test suite that runs as autopkgtest, but the build time tests (171) seem enough for this Packages content [Packaging red flags] OK: - Ubuntu does not carry a delta - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is not too bad but is slightly outdated we might need to work on it along bind9 merges - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using Problem: - the current release is not packaged There is a 1.5.2 which outdates our 1.4.1 by 1.5years. This should be updates before we ship it in an LTS. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (mostly python) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks Assigning to Andreas for the version update (which will also need an FFe bug along)