Comment 8 for bug 1746598

I reviewed libnfs (3.0.0-1) from disco

- Build dependencies:
 - debhelper, dh-autoreconf, libopt-dev

- Few issues on github
- NO CVE history
- no pre or postinst scritps
- no systemd unit files
- no system dbus services
- no setuid files
- Some binaries:
   /usr/bin/nfs-cp:
        Position Independent Executable: yes
        Stack protected: yes
        Fortify Source functions: yes
        Read-only relocations: yes
        Immediate binding: yes
   /usr/bin/nfs-cat:
        Position Independent Executable: yes
        Stack protected: yes
        Fortify Source functions: yes
        Read-only relocations: yes
        Immediate binding: yes

  /usr/bin/nfs-ls:
        Position Independent Executable: yes
        Stack protected: yes
        Fortify Source functions: yes
        Read-only relocations: yes
        Immediate binding: yes
- no sudo fragments on the code just in test/functions.sh line 11 and
15
- no udev rules
- It has dozens of tests, but I didn't see any of them be called during
build
- no cron jobs
- clean build log
- doesn't spawn other process. The only spawn happens in test files
(some .sh
  scripts)
- Memory mgmt looked like OK (in a first review), but cppcheck shows
some mem leaks, in a previous analyzes show it can be treat as irrelevant. Further considerations are welcomed.
   - [lib/nfs_v3.c:3106]: (error) Memory leak: cb_data
     [lib/nfs_v3.c:3115]: (error) Memory leak: cb_data
     [lib/nfs_v3.c:3473]: (error) Memory leak: cb_data
     [lib/nfs_v3.c:3482]: (error) Memory leak: cb_data
- File IO: some reads/open files, what seems to be internally to the
lib and lot of them in examples file.
- logging looked fine
- no envars
- does not use encryption
- does not use webkit
- does not use javascript

Said that, I'm ok in that package be promoted to main. Please feel free to re-review this points I made.