[MIR] libnet-ip-perl (as libmail-dmarc-perl dependency)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnet-ip-perl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[MIR] libnet-ip-perl (as libmail-dmarc-perl dependency)
Package: libnet-ip-perl
[Availability]
The package libnet-ip-perl is already in Ubuntu universe.
The package libnet-ip-perl build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https:/
[Rationale]
The package libnet-ip-perl is required in Ubuntu main for libmail-dmarc-perl.
The package libnet-ip-perl will not generally be useful for a large part of
our user base, but is important/helpful still because is required as runtime dependency by libmail-dmarc-perl
( libmail-dmarc-perl is in the MIR process here: https:/
The package libnet-ip-perl is required in Ubuntu main no later than through the same scheduled requested for the libmail-dmarc-perl promotion, since libmail-dmarc-perll depends on it.
[Security]
No CVEs/security issues in this software in the past:
- (0) https:/
- (0) https:/
- (0) https:/
No `suid` or `sgid` binaries.
No executables in `/sbin` and `/usr/sbin`.
Package does not install services, timers or recurring jobs.
Package does not open privileged ports (ports < 1024).
Package does not expose any external endpoints.
Package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...).
[Quality assurance - function/usage]
The package works well right after install
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and does
not have too many, long-term & critical, open bugs:
- Ubuntu (0) https:/
- Debian (0) https:/
However, in upstream there are not activity from any maintainer since 8 years ago and I haven't found a repository:
- Upstream's bug tracker (27) https:/
The package has important/old open bugs on upstream, some of them are (for a complete list, see the upstream's bug tracker link above):
- Bad documentation:
- Documented arguments for ip_prefix_to_range are incorrect: https:/
- ip_check_mask is documented but not implemented: https:/
- Undef related:
- intip returns 0 ofor 0.0.0.0: https:/
- Net::IP-
- ip++ return NULL on some funcions: https:/
- License ambiguity (not clear to me if this has been tackled): https:/
- Standards related:
- short() does not follow rfc5952 for ipv6 addresses starting with 0: https:/
- IPv4 - 6 Missing Special Ranges: https:/
The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package runs a test suite on build time, if it fails
it makes the build fail: https:/
dh_auto_test
make -j4 test TEST_VERBOSE=1
make[2]: Entering directory '/<<PKGBUILDDIR>>'
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils:
The package runs an autopkgtest (via autodep8 using 'Testsuite: autopkgtest-
that runs essentialy the above build-time test suite. It is currently passing on
all of the architectures, excep i386: https:/
The package does have failing autopkgtests tests right now, but since
they always failed they are handled as "ignored failure", this is
because the test depends on pkg-perl-
build for i386 since focal.
[Quality assurance - packaging]
debian/watch is present and works.
debian/control defines a correct Maintainer field : Debian Perl Group <email address hidden> ( https:/
This package does not yield massive lintian Warnings, Errors
- recent build log of the package https:/
- full output from `lintian --pedantic` :
#source
❯ lintian -EvIL +pedantic --show-overrides
E: libnet-ip-perl changes: bad-distributio
I: libnet-ip-perl source: out-of-
X: libnet-ip-perl source: debian-
P: libnet-ip-perl source: silent-
P: libnet-ip-perl source: update-
X: libnet-ip-perl source: upstream-
#binary
❯ lintian -EvIL +pedantic --show-overrides ../libnet-
I: libnet-ip-perl source: out-of-
X: libnet-ip-perl source: debian-
P: libnet-ip-perl source: silent-
P: libnet-ip-perl source: update-
W: libnet-ip-perl: changelog-
W: libnet-ip-perl changes: distribution-
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default.
Packaging and build is easy, link to debian/rules: https:/
[UI standards]
Application is not end-user facing (does not need translation).
[Dependencies]
No further dependencies that are not yet in main.
[Standards compliance]
This package correctly follows FHS and Debian Policy (4.2.1)
[Maintenance/Owner]
Owning Team will be Ubuntu Server Team.
Team is not yet, but will subscribe to the package before promotion.
This does not use static builds.
This does not use vendored code.
This package is not rust based.
The package successfully built during the most recent test rebuild: https:/
[Background information]
The Package description explains the package well.
Upstream Name is Net-IP .
Link to upstream project https:/
This has been promoted and demoted from main more than once, with the most recent demotion in Lunar (2022). The original MIR appears to be LP: #243276. Other than that it's only had a single bug opened against it, which was an upgrade bug that expired over a decade ago.
Current version (1.26) is very old, being released by upstream in 2012.
Tha package has had a couple of bugs on Debian in the past: https:/
The project was available for adoption in Debian in 2011 (https:/
Other options for this package that could be checked to see if they can be used instead are:
libnet-
libnet-ip-xs-perl - Perl extension for manipulating IPv4/IPv6 addresses (XS)
libnet-
libnet-iptrie-perl - Perl module for building IPv4 and IPv6 address space hierarchies
but all of them are in universe, apart from the fact that functionality towards libemail-dmarc-perl has not been studied deeply.
This has been in the archive since at least 2008 (Warty, 1.20-1).
Related branches
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 54 lines (+10/-0)1 file modifiedsubscriptions.yaml (+10/-0)
Changed in libnet-ip-perl (Ubuntu): | |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Review for Source Package: libnet-ip-perl
[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libnet-ip-perl
Specific binary packages built, but NOT to be promoted to main: <None>
Notes:
This package has one big red flag. It is unmaintained upstream the last 10 years.
Debian has made very few releases since then regarding packaging.
Although there are some alternatives also in universe, I am not sure switching to
an alternative is a good idea.
I looked very quickly at libmail-dmarc-perl and how it uses libnet-ip-perl,
and it's using it to represent the IP object. Therefore, I don't think it is
trivial to move to another package. Again, I didn't study it in dept only superficially.
That said, I believe we could move forward with this MIR as long as the requesting team
commits to maintain the package.
The package does not seem to require a security review at the moment, however requesting team
should reach an agreement with security team on how this package will be dealt in terms of security.
Required TODOs:
1. Requesting team commits to own and maintain the package
2. Agree with security team on how this package will be maintained from a security point of view.
3. The package should get a team bug subscriber before being promoted
Recommended TODOs:
4. Address as many as possible of the upstream important bugs as identified in the bug description.
[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
The rationale given in the report seems valid and useful for Ubuntu
Requesting team needs to commit to own long term maintenance of this package.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- libnet-ip-perl checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal wit...