Comment 1 for bug 1976405

Review for Package: libntlm

[Summary]
I needed more time than expected checking for duplicates or if gl is
embedded from anywhere else, but I come to the conclusion that it LGTM.

MIR team ACK

As already suggested by the reporter this does need a security review,
so I'll assign ubuntu-security.

Specific binary packages built, but NOT to be promoted to main: libntlm0, libntlm0-dev

[Duplication]
There is cyrus-sasl2 has ntlm (main), gss-ntlmssp provides it for kerberos
gssapi and also other languages python3-ntlm-auth / ruby-ntlm as well as
proxies cntlm - but all except the first are in universe.
But the ntlm in cycrus-sasl2 is just an auth plugin to sasl itself. It is not
using a library (like libntlm) nor is it providing one outside of the sasl2
context.
libntlm0: /usr/lib/x86_64-linux-gnu/libntlm.so.0
libsasl2-modules: /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so

There is one more ntlm implementation in main, that is in dovecot.
But they didn't externalize theirs like cyrus did - so that isn't
an option either.

Therefore despite the similarity it seems there is no duplication in main.

The project lists gsasl on [2] which is also here the reason it is needed
to be promoted.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (only libc6)
- no -dev/-debug/-doc packages that need exclusion (deps are safe)
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present; the onle one is a local gnulib like so many
  packages do (grub, gnutls, ... just check [1]). Therefore I'd not consider
  this a blocker.
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does not parse data formats
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
 - does not FTBFS currently
 - does have a test suite that runs at build time
   - test suite fails will fail the build upon error.
 - does have a non-trivial test suite that runs as autopkgtest
   (only upstream testsuite and a simple link and run, but fine for such a lib)
 - No special HW required
 - no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is ok
- Debian/Ubuntu update history is ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings (as shown by the reporter)
- d/rules is rather clean (6 lines)
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
  - in fact there was only one which I closed as it was done but
    forgotten to close the bug
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case

Problems: None

[1]: https://codesearch.debian.net/search?q=remember+if+special+invocation+has+ever+been+used+to+obtain&literal=1