Review for Package: libunicode-escape-perl [Summary] MIR team NACK (outdated, unmaintained, alternatives in main) Unless there is a very strong explanation why this can't be done with the better alternatives this is a NACK. This does not need a security review List of specific binary packages to be promoted to main: libunicode-escape-perl Specific binary packages built, but NOT to be promoted to main: n/a Required TODOs: - give it a reasonable evaluation please if the alternate modules already in main like libunicode-utf8-perl might be sufficient for what the new dependency needs from libunicode-escape-perl. Modern perl also supports unicode natively are we sure this isn't just a (very) old dependency here? Also 0.0.2 since 2011, given there are alternatives I'm really not convinced we should use this. Recommended TODOs: - The package should get a team bug subscriber before being promoted [Duplication] There is no other package in main providing the same functionality. There are many similar ones though, like libstring-escape-perl for general string escaping. And libunicode-utf8-perl for encode/decode of unicode. Both are already in main. Also modern perl supports unicode directly, do we really need this? CPAN even has more https://metacpan.org/pod/Encode::Escape::Unicode there might be a proliferation going on, but all except the perl-integrated one have not seen updates in years. And if this would not be needed, then libunicode-string-perl also would not be needed to bepromoted/supported. I'll add a check for that as required TODO to ensure we are not just re-adding the same function. Especially since most of these libs seem outdated or at least rarely updated, it is better to carry fewer. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard - No vendoring used, all Built-Using are in main Problems: None [Security] - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - does parse data formats (usually docs in the current use, but not arbitrary and low attack surface) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest - no special HW needed - no new python2 dependency Problems: None [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Debian/Ubuntu update history is slow (matching upstream) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list Problems: - Upstream update history is slow, not sure how much we can rely on it. Those kind of packages often are without being a problem, but we have to be clear this seems like a non (much) active upstream. This package in particular 0.0.2 since 2011, given there are alternatives now I'm really not convinced we should use this. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (perl only) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case Problems: None