[Duplication]
No duplication of that functionality in the Archive in general or main in particular.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package does not statically link to libraries.
It does create static .a libs for its -dev package, but that is fine
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- processes arbitrary web content
But it does
- parse data formats
Being a multicast protocol implementation in general it has to parse data that could have been remotely crafted.
A security review is therefore recommended.
[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
Not perfect but ok
- does not run build time tests (upstream source would have tests).
[Packaging red flags]
- no current ubuntu Delta to evaluate
- symbol tracking present in libpgm-5.2-0.symbols
- watch file is present
- Lintian warnings are present but ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
Being written in C it obviously uses malloc and also non length limited (n) sprintf and such.
I have no good policy/tool to check if they are "incautious" as defined on https://wiki.ubuntu.com/MIRTeam#Upstream_red_flags
But I know that the security Team has such tools, so for that (as above for network related tasks) I'd recommend a security review on this package to be sure.
[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is recommended.
Assigning the security Team.
[Duplication]
No duplication of that functionality in the Archive in general or main in particular.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package does not statically link to libraries.
It does create static .a libs for its -dev package, but that is fine
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- processes arbitrary web content
But it does
- parse data formats
Being a multicast protocol implementation in general it has to parse data that could have been remotely crafted.
A security review is therefore recommended.
[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
Not perfect but ok
- does not run build time tests (upstream source would have tests).
[Packaging red flags] 5.2-0.symbols
- no current ubuntu Delta to evaluate
- symbol tracking present in libpgm-
- watch file is present
- Lintian warnings are present but ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
Being written in C it obviously uses malloc and also non length limited (n) sprintf and such. /wiki.ubuntu. com/MIRTeam# Upstream_ red_flags
I have no good policy/tool to check if they are "incautious" as defined on https:/
But I know that the security Team has such tools, so for that (as above for network related tasks) I'd recommend a security review on this package to be sure.
[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is recommended.
Assigning the security Team.