Comment 10 for bug 1621386
Revision history for this message
| Christian Ehrhardt (paelzer) wrote | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
This is a special case, as we have the newer versions already in main in Bionic.
Therefore the evaluation checks if the older version has CVEs, packaging issues and such - but is no full re-evaluation.
[Duplication]
No duplication, it is one of the more common python backends for cryptography.
[Embedded sources and static linking]
- no embedded sources
- no static linking
- no golang
[Security]
This is one of the biggest parts of the re-check as we need to ensure that the older version has no known or unmaintainable deficiencies
But it seems fine - no existing CVEs associated.
It still is security sensitive, as it's purpose is to handle tokens that entitle users of a given feature.
Therefore I'd want an ack by the ubuntu-security team - which given it is a re-review should go fast as well.
[Common blockers]
- builds fine in Xenial last time, I asked for a rebuild to prove that also trusty will be fine
- Testsuite is running and blocking build on Xenial as well as on newer versions
- the server team is already subscribed to the package
- no user visible output that needs translation
- only python3 dependencies are used (but then for Xenial/Trusty this wouldn't even be important)
- dh_python is in use
[Packaging red flags]
- no Ubuntu delta?
- a symbols file is tracking ABI on build
- debian/watch present
- updates were ok so far (it isn't moving too fast thou)
- no massive Lintian warnings
- very clean d/rules (almost only dh @)
[Upstream red flags]
- no build errors on the Xenial version that will be added to main
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- one older bug, but nothing serious or affecting the MIR
- no dependency on webkit, qtwebkit, seed or libgoa-*
[Summary]
As expected - since the newer versions are already in main - this wasn't too critical.
After comparing the differences of the version in main in bionic to what shall be promited in Xenial/Trusty there were no blockers identified.
TODOs:
@Chad - since this wasn't built a long time in Xenial and never before in Trusty. Could you please provide a PPA that builds the set of three packages in both Releases?
@Security - this package does cryptography, so IMHO security ack is needed. The reason for that is that the version in main is libsodium23 at 1.0.16-2 or higher but for Xenial/Trusty it will be libsodium18 at 1.0.8-5 (as in Xenial). I'll do the assign on the bug tasks.