Ubuntu
libregexp-wildcards-perl package

[MIR] libregexp-wildcards-perl

Bug #1980968 reported by Olivier Gayot
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libregexp-wildcards-perl (Ubuntu)
Fix Released
Undecided
Olivier Gayot
lintian (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
The package libregexp-wildcards-perl is already in Ubuntu universe.
The package libregexp-wildcards-perl builds for the architectures it is designed to work on.
It currently builds and works for architetcures: all
Link to package [[https://launchpad.net/ubuntu/+source/libregexp-wildcards-perl/|libregexp-wildcards-perl]]

[Rationale]
The package libregexp-wildcards-perl will not generally be useful for a large part of
our user base, but is important/helpful still because the package
is a new runtime dependency of package lintian that we already support

- It would be great and useful to community/processes to have the
package libregexp-wilcards-perl in Ubuntu main, but there is no definitive deadline.

[Security]
 - No CVEs/security issues in this software in the past
 - no `suid` or `sgid` binaries
 - no executables in `/sbin` and `/usr/sbin`
 - Package does not install services, timers or recurring jobs
 - Packages does not open privileged ports (ports < 1024)
 - Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
 - The package works well right after install

  # apt install libregexp-wildcards-perl
  $ perl
  < use Regexp::Wildcards;
  < my $rw = Regexp::Wildcards->new(type => "unix");
  < printf "%s\n", $rw->convert("src/*.pl", "jokers");

  > src\/.*\.pl

[Quality assurance - maintenance]
 - There has only been two revisions in d/changelog for the package.
 - The package is maintained well in Debian/Ubuntu and has not too many and
   long term critical bugs open
   - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libregexp-wildcards-perl/+bug
   - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libregexp-wildcards-perl
 - The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
 - The package runs a test suite on build time, if it fails it makes the build
   fail. link to build log:
 - Link to green build:
   https://pastebin.ubuntu.com/p/t8b2dsBNxg/
 - Link to red build (caused by build-time test failure):
   https://pastebin.ubuntu.com/p/YbvfNdF24v/

 - The package only runs the minimal autodep8-perl autopkgtest ; it does not
   include a d/tests directory or declare a Testsuite.
 - The package does have not failing autopkgtests right now

[Quality assurance - packaging]
 - debian/watch is present and works

 - debian/control defines a correct Maintainer field.
 - libregexp-wildcards-perl does not currently have any Ubuntu delta.

 - This package does not yield massive lintian Warnings, Errors
 - Please link to a recent build log of the package libregexp-wildcards-perl:
   https://pastebin.ubuntu.com/p/t8b2dsBNxg/

[debian/control]

 - Lintian overrides are not present

 - This package does not rely on obsolete or about to be demoted packages.
 - This package has no python2 or GTK2 dependencies

 - The package will be installed by default, but does not ask debconf
   questions higher than medium

 - Packaging and build is easy, content of d/rules:

#!/usr/bin/make -f

%:
 dh $@

[UI standards]
 - Application is not end-user facing (does not need translation)

[Dependencies]
 - No further depends or recommends dependencies that are not yet in main

[Standards compliance]
 - This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
 - Owning Team will be Foundations team
 - Team is not yet, but will subscribe to the package before promotion

 - This does not use static builds
 - This does not use vendored code
 - This does not use vendored code
 - This package is not rust based
 - The package was test rebuilt in PPA or sbuild recently (provide link/logs)
   https://pastebin.ubuntu.com/p/t8b2dsBNxg/

[Background information]
The Package description explains the package well
Upstream Name is Regexp-Wildcards
Link to upstream project https://metacpan.org/dist/Regexp-Wildcards

See original description
Olivier Gayot (ogayot)
Changed in libregexp-wildcards-perl (Ubuntu):
status: New → Incomplete
assignee: nobody → Olivier Gayot (ogayot)
Revision history for this message
Olivier Gayot (ogayot) wrote :

Output of lintian --pedantic:

E: libregexp-wildcards-perl changes: bad-distribution-in-changes-file unstable
P: libregexp-wildcards-perl source: package-uses-old-debhelper-compat-version 10
P: libregexp-wildcards-perl source: silent-on-rules-requiring-root

description: updated
Olivier Gayot (ogayot)
Changed in libregexp-wildcards-perl (Ubuntu):
status: Incomplete → New
assignee: Olivier Gayot (ogayot) → nobody
Christian Ehrhardt  (paelzer)
Changed in libregexp-wildcards-perl (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.0 KiB)

Review for Package: libregexp-wildcards-perl

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: libregexp-wildcards-perl
Specific binary packages built, but NOT to be promoted to main: <none>

Required TODOs:
- Either evaluate libregexp-shellish-perl if that should be used instead (and
  then prep a MIR for that) - or - at least add autopkgtest-pkg-perl so that it
  does not just run at build but also at autopkgtest time.

[Duplication]
There is no other package in main providing the same functionality in main.

There is also libregexp-shellish-perl which does very much the same.
But that is in universe as well, so that is ok.
OTOH libregexp-shellish-perl has gotten at least some love and update
in recent times - it has autopkgtest-pkg-perl enabled, reproducible
builds, updated general packaging, ...
Eventually we want to pick just one of them, so it might be worth to have a
look/talk if that might be the better option.
I'll add a task to evaluate if that would be better.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- This only "parses" data from trusted code to convert the regexp. The actual
  data handling is then done by perl itself which is getting way more attention.
  => No problem

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- no new python2 dependency

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
  It could be run easily though, but you'd need to make that change.
  As mentioned https://autopkgtest.ubuntu.com/packages/libregexp-wildcards-perl
  does nto exist but https://autopkgtest.ubuntu.com/packages/libregexp-shellish-perl
  does.
  Adding as a todo.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- the cur...

Read more...

Changed in libregexp-wildcards-perl (Ubuntu):
status: New → Incomplete
assignee: Christian Ehrhardt  (paelzer) → Olivier Gayot (ogayot)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Marking incomplete and assign it to Olivier to consider and clear the few last things, then it should be good to go.

Revision history for this message
Olivier Gayot (ogayot) wrote :

I've reviewed both packages and can't decide objectively if one would do the job better than the other for lintian. The availability of libregexp-shellify-perl in salsa and the packaging updates that it got recently can be considered a slight plus.

I've opened a discussion on lintian-maint [1] to check if Debian would consider a move from one Depends: to the other. IMO, we should not consider adding a delta to lintian for the sole purpose of this MIR.

[1] https://<email address hidden>/msg43656.html

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Olivier for checking in more detail.
Let us know the outcome of your discussion in a few days.

I agree that we should not add delta for this, it isn't that important.
So if we will stick with libregexp-wildcards-perl just work on adding the autopkgtest.
And if we switch to libregexp-shellify-perl, well fine, modify the MIR to process that one instead then.

Lukas Märdian (slyon)
Changed in lintian (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
tags: added: update-excuse
Revision history for this message
Olivier Gayot (ogayot) wrote :

Axel from Debian responded [1] to my request and made very good points that show that libregexp-wildcards-perl is a better alternative than libregexp-shellish-perl for lintian.

Therefore, let's keep the MIR as it is and in the meantime I submitted a .debdiff to https://bugs.launchpad.net/ubuntu/+source/libregexp-wildcards-perl/+bug/1983397 (and forwarded it to Debian) to enable the test-suite at autopkgtest time.

[1] https://lists.debian.org/debian-lint-maint/2022/08/msg00000.html

Revision history for this message
Lukas Märdian (slyon) wrote :

@ogayot made the requested change to libregexp-wildcards-perl and submitted it to Debian. It was promtly accepted by the maintainer and already auto-synced into Ubuntu: https://launchpad.net/ubuntu/+source/libregexp-wildcards-perl/1.05-3

This resolves all MIR TODOs => MIR team ACK.

I've added the ~foundations-bugs team subscriber.
The package is already being pulled in by lintian, so it is ready for promotion.

Changed in libregexp-wildcards-perl (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Acks are good, subscription is good - thank you all.

Override component to main
libregexp-wildcards-perl 1.05-3 in kinetic: universe/misc -> main
libregexp-wildcards-perl 1.05-3 in kinetic amd64: universe/perl/optional/100% -> main
libregexp-wildcards-perl 1.05-3 in kinetic arm64: universe/perl/optional/100% -> main
libregexp-wildcards-perl 1.05-3 in kinetic armhf: universe/perl/optional/100% -> main
libregexp-wildcards-perl 1.05-3 in kinetic i386: universe/perl/optional/100% -> main
libregexp-wildcards-perl 1.05-3 in kinetic ppc64el: universe/perl/optional/100% -> main
libregexp-wildcards-perl 1.05-3 in kinetic riscv64: universe/perl/optional/100% -> main
libregexp-wildcards-perl 1.05-3 in kinetic s390x: universe/perl/optional/100% -> main
Override [y|N]? y
8 publications overridden.

Changed in libregexp-wildcards-perl (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

As this package is in the main component, this is no longer a reason for the lintian source package not to migrate to the release pocket.

Changed in lintian (Ubuntu):
status: New → Incomplete
status: Incomplete → Fix Released
assignee: Lukas Märdian (slyon) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.