| 2021-02-08 12:08:58 |
Matthias Klose |
bug |
|
|
added bug |
| 2021-02-08 12:09:05 |
Matthias Klose |
libmd (Ubuntu): importance |
Undecided |
High |
|
| 2021-02-08 12:09:15 |
Matthias Klose |
bug task added |
|
libbsd (Ubuntu) |
|
| 2021-02-08 12:09:23 |
Matthias Klose |
libbsd (Ubuntu): importance |
Undecided |
High |
|
| 2021-02-08 12:09:32 |
Matthias Klose |
tags |
hirsute |
hirsute rls-hh-incoming |
|
| 2021-02-08 12:09:50 |
Matthias Klose |
bug |
|
|
added subscriber MIR approval team |
| 2021-02-08 16:32:06 |
Matthieu Clemenceau |
tags |
hirsute rls-hh-incoming |
fr-1117 hirsute rls-hh-incoming |
|
| 2021-02-08 16:34:55 |
Matthieu Clemenceau |
tags |
fr-1117 hirsute rls-hh-incoming |
fr-1117 hirsute |
|
| 2021-02-09 15:42:13 |
Christian Ehrhardt |
bug task deleted |
libbsd (Ubuntu) |
|
|
| 2021-02-09 16:09:40 |
Tiago Stürmer Daitx |
description |
[MIR] libmd (dependency of libbsd) |
[Summary]
TODO: WRITE - The essence of the review result from the MIR POV
TODO: This does need a security review, so I'll assign ubuntu-security
TODO: List of specific binary packages to be promoted to main: <TODO>
Notes:
TODO: - add todos, issues or special cases to discuss
Required TODOs:
TODO - TBD
Recommended TODOs:
TODO - TBD
[Duplication]
TODO: There is no other package in main providing the same functionality.
[Dependencies]
OK:
TODO - no other Dependencies to MIR due to this
TODO (use tools: check-mir, seeded-in-ubuntu, reverse-depends)
TODO - no -dev/-debug/-doc packages that need exclusion
TODO: Problems:
[Embedded sources and static linking]
OK:
TODO: - no embedded source present
TODO: - no static linking
TODO: Problems:
[Security]
OK:
TODO: - history of CVEs does not look concerning
TODO: - does not run a daemon as root
TODO: - does not use webkit1,2
TODO: - does not use lib*v8 directly
TODO: - does not parse data formats
TODO: - does not open a port
TODO: - does not process arbitrary web content
TODO: - does not use centralized online accounts
TODO: - does not integrate arbitrary javascript into the desktop
TODO: - does not deal with system authentication (eg, pam), etc)
TODO: Problems:
[Common blockers]
OK:
TODO: - does not FTBFS currently
TODO: - does have a test suite that runs at build time
TODO: - test suite fails will fail the build upon error.
TODO: - does have a test suite that runs as autopkgtest
TODO: - The package has a team bug subscriber
TODO: - no translation present, but none needed for this case (user visible)?
TODO: - not a python/go package, no extra constraints to consider int hat regard
TODO: - no new python2 dependency
TODO: - Python package that is using dh_python
TODO: - Go package that uses dh-golang
TODO: Problems:
[Packaging red flags]
OK:
TODO: - Ubuntu does not carry a delta
TODO: - Ubuntu does carry a delta, but it is reasonable and maintenance under control
TODO: - symbols tracking is in place
TODO: - symbols tracking not applicable for this kind of code.
TODO: - d/watch is present and looks ok
TODO: - Upstream update history is (good/slow/sporadic)
TODO: - Debian/Ubuntu update history is (good/slow/sporadic)
TODO: - the current release is packaged
TODO: - promoting this does not seem to cause issues for MOTUs that so far
TODO: maintained the package
TODO: - no massive Lintian warnings
TODO: - d/rules is rather clean
TODO: - Does not have Built-Using
TODO: - Go Package that follows the Debian Go packaging guidelines
TODO: (see https://go-team.pages.debian.net/packaging.html)
TODO: Problems:
[Upstream red flags]
OK:
TODO: - no Errors/warnings during the build
TODO: - no incautious use of malloc/sprintf (as far as I can check it)
TODO: - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
TODO: - no use of user nobody
TODO: - no use of setuid
TODO: - no important open bugs (crashers, etc) in Debian or Ubuntu
TODO: - no dependency on webkit, qtwebkit, seed or libgoa-*
TODO: - not part of the UI for extra checks
TODO: Problems: |
|
| 2021-02-09 17:08:06 |
Tiago Stürmer Daitx |
description |
[Summary]
TODO: WRITE - The essence of the review result from the MIR POV
TODO: This does need a security review, so I'll assign ubuntu-security
TODO: List of specific binary packages to be promoted to main: <TODO>
Notes:
TODO: - add todos, issues or special cases to discuss
Required TODOs:
TODO - TBD
Recommended TODOs:
TODO - TBD
[Duplication]
TODO: There is no other package in main providing the same functionality.
[Dependencies]
OK:
TODO - no other Dependencies to MIR due to this
TODO (use tools: check-mir, seeded-in-ubuntu, reverse-depends)
TODO - no -dev/-debug/-doc packages that need exclusion
TODO: Problems:
[Embedded sources and static linking]
OK:
TODO: - no embedded source present
TODO: - no static linking
TODO: Problems:
[Security]
OK:
TODO: - history of CVEs does not look concerning
TODO: - does not run a daemon as root
TODO: - does not use webkit1,2
TODO: - does not use lib*v8 directly
TODO: - does not parse data formats
TODO: - does not open a port
TODO: - does not process arbitrary web content
TODO: - does not use centralized online accounts
TODO: - does not integrate arbitrary javascript into the desktop
TODO: - does not deal with system authentication (eg, pam), etc)
TODO: Problems:
[Common blockers]
OK:
TODO: - does not FTBFS currently
TODO: - does have a test suite that runs at build time
TODO: - test suite fails will fail the build upon error.
TODO: - does have a test suite that runs as autopkgtest
TODO: - The package has a team bug subscriber
TODO: - no translation present, but none needed for this case (user visible)?
TODO: - not a python/go package, no extra constraints to consider int hat regard
TODO: - no new python2 dependency
TODO: - Python package that is using dh_python
TODO: - Go package that uses dh-golang
TODO: Problems:
[Packaging red flags]
OK:
TODO: - Ubuntu does not carry a delta
TODO: - Ubuntu does carry a delta, but it is reasonable and maintenance under control
TODO: - symbols tracking is in place
TODO: - symbols tracking not applicable for this kind of code.
TODO: - d/watch is present and looks ok
TODO: - Upstream update history is (good/slow/sporadic)
TODO: - Debian/Ubuntu update history is (good/slow/sporadic)
TODO: - the current release is packaged
TODO: - promoting this does not seem to cause issues for MOTUs that so far
TODO: maintained the package
TODO: - no massive Lintian warnings
TODO: - d/rules is rather clean
TODO: - Does not have Built-Using
TODO: - Go Package that follows the Debian Go packaging guidelines
TODO: (see https://go-team.pages.debian.net/packaging.html)
TODO: Problems:
[Upstream red flags]
OK:
TODO: - no Errors/warnings during the build
TODO: - no incautious use of malloc/sprintf (as far as I can check it)
TODO: - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
TODO: - no use of user nobody
TODO: - no use of setuid
TODO: - no important open bugs (crashers, etc) in Debian or Ubuntu
TODO: - no dependency on webkit, qtwebkit, seed or libgoa-*
TODO: - not part of the UI for extra checks
TODO: Problems: |
[Availability]
libmd has been on Universe since Xenial and builds on all supported archs. Hirsute currently has 1.0.3-3.
[Rationale]
libbsb has a new dependency on libmd since 0.11.1-1 (0.10 or earlier didn't)
- libbsd0 depends on libmd0
- libbsd build-depends on libmd-dev
[Security]
- found no CVEs related to libmd on Mitre, Openwall, and Ubuntu CVE tracker (main, universe, and tracker).
- no suid binaries on libmd0
- package provides no service files
- package does not require network (no open ports)
[Quality assurance]
- libmd0 1.0.3-3 depends only on libc6 (ie. no weird deps)
- libmd 1.0.3-3 build depends only on debhelper-compat
- no bug has ever been logged for libmd in both launchpad[1] and debian[2]
- homepage lists no upstream bug tracker [3]
- upstream maintainer is Guillem Jover
- package ships with a testsuite
- testsuite does not need network nor weird hardware
- testsuite is run during build
- has autopkgtests [4]
- autopkgtest fails on i386 (not a blocker)
- autopkgtest succeeded on amd64, ppc64el, s390x
- package has a debian/watch file
- 'lintian --pedantic' indicates no packaging issues
[Dependencies]
- libmd0 1.0.3-3 depends: libc6
- libmd 1.0.3-3 build-depends: debhelper-compat
[Standards compliance]
Package meets Debian Policy 4.5.1 (latest as of 2021-02-09).
Package meets FHS.
[Maintenance]
Package is small and well maintained in Debian by it's upstream main developer (Guillem Jover).
[Background information]
Package description is correct and succint:
'The libmd library provides various
message digest ("hash") functions,
as found on various BSDs on a
library with the same name and with a
compatible API.'
[References]
[1] https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field.status_upstream-empty-marker=1
[2] https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=libmd
[3] https://www.hadrons.org/software/libmd/
[4] https://autopkgtest.ubuntu.com/packages/libmd |
|
| 2021-02-09 17:10:47 |
Tiago Stürmer Daitx |
description |
[Availability]
libmd has been on Universe since Xenial and builds on all supported archs. Hirsute currently has 1.0.3-3.
[Rationale]
libbsb has a new dependency on libmd since 0.11.1-1 (0.10 or earlier didn't)
- libbsd0 depends on libmd0
- libbsd build-depends on libmd-dev
[Security]
- found no CVEs related to libmd on Mitre, Openwall, and Ubuntu CVE tracker (main, universe, and tracker).
- no suid binaries on libmd0
- package provides no service files
- package does not require network (no open ports)
[Quality assurance]
- libmd0 1.0.3-3 depends only on libc6 (ie. no weird deps)
- libmd 1.0.3-3 build depends only on debhelper-compat
- no bug has ever been logged for libmd in both launchpad[1] and debian[2]
- homepage lists no upstream bug tracker [3]
- upstream maintainer is Guillem Jover
- package ships with a testsuite
- testsuite does not need network nor weird hardware
- testsuite is run during build
- has autopkgtests [4]
- autopkgtest fails on i386 (not a blocker)
- autopkgtest succeeded on amd64, ppc64el, s390x
- package has a debian/watch file
- 'lintian --pedantic' indicates no packaging issues
[Dependencies]
- libmd0 1.0.3-3 depends: libc6
- libmd 1.0.3-3 build-depends: debhelper-compat
[Standards compliance]
Package meets Debian Policy 4.5.1 (latest as of 2021-02-09).
Package meets FHS.
[Maintenance]
Package is small and well maintained in Debian by it's upstream main developer (Guillem Jover).
[Background information]
Package description is correct and succint:
'The libmd library provides various
message digest ("hash") functions,
as found on various BSDs on a
library with the same name and with a
compatible API.'
[References]
[1] https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field.status_upstream-empty-marker=1
[2] https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=libmd
[3] https://www.hadrons.org/software/libmd/
[4] https://autopkgtest.ubuntu.com/packages/libmd |
[Availability]
libmd has been on Universe since Xenial and builds on all supported archs. Hirsute currently has 1.0.3-3.
[Rationale]
libbsb has a new dependency on libmd since 0.11.1-1 (0.10 or earlier didn't)
- libbsd0 depends on libmd0
- libbsd build-depends on libmd-dev
[Security]
- found no CVEs related to libmd on Mitre, Openwall, and Ubuntu CVE tracker (main, universe, and tracker).
- no suid binaries on libmd0
- package provides no service files
- package does not require network (no open ports)
[Quality assurance]
- libmd0 1.0.3-3 depends only on libc6 (ie. no weird deps)
- libmd 1.0.3-3 build depends only on debhelper-compat
- no bug has ever been logged for libmd in both launchpad[1] and debian[2]
- homepage lists no upstream bug tracker [3]
- upstream maintainer is Guillem Jover
- package ships with a testsuite
- testsuite does not need network nor weird hardware
- testsuite is run during build
- has autopkgtests [4]
- autopkgtest fails on i386 (not a blocker)
- autopkgtest succeeded on amd64, ppc64el, s390x
- package has a debian/watch file
- 'lintian --pedantic' indicates no packaging issues
[Dependencies]
- libmd0 1.0.3-3 depends: libc6
- libmd 1.0.3-3 build-depends: debhelper-compat
[Standards compliance]
Package meets Debian Policy 4.5.1 (latest as of 2021-02-09).
Package meets FHS.
[Maintenance]
Package is small and well maintained in Debian by it's upstream main developer (Guillem Jover).
[Background information]
Package description is correct and succint:
'The libmd library provides various
message digest ("hash") functions,
as found on various BSDs on a
library with the same name and with a
compatible API.'
[References]
[1] https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field.status_upstream-empty-marker=1
[2] https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=libmd
[3] https://www.hadrons.org/software/libmd/
[4] https://autopkgtest.ubuntu.com/packages/libmd
[tdaitx 2021-02-09]
I confirm that I checked the above requirements carefully. |
|
| 2021-02-09 18:11:43 |
Tiago Stürmer Daitx |
libmd (Ubuntu): status |
Incomplete |
New |
|
| 2021-02-16 15:49:19 |
Christian Ehrhardt |
libmd (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2021-02-17 13:24:36 |
Christian Ehrhardt |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924937 |
|
| 2021-02-17 13:24:55 |
Christian Ehrhardt |
libmd (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
Matthieu Clemenceau (mclemenceau) |
|
| 2021-02-18 15:25:25 |
Christian Ehrhardt |
libmd (Ubuntu): assignee |
Matthieu Clemenceau (mclemenceau) |
Ubuntu Security Team (ubuntu-security) |
|
| 2021-03-10 06:24:52 |
Steve Beattie |
libmd (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2021-03-10 06:24:55 |
Steve Beattie |
libmd (Ubuntu): status |
New |
In Progress |
|
| 2021-03-10 07:10:47 |
Christian Ehrhardt |
libmd (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2021-03-11 09:15:20 |
Matthias Klose |
libmd (Ubuntu): status |
Fix Committed |
Fix Released |
|
