Review for Package: libtpms

[Summary]
As swtpm this seems generally well packaged, and already has plenty of users.
It needs a bit polishing here and there but seems close to be promotable.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security.

List of specific binary packages to be promoted to main: libtpms0

Required TODOs:
- please package the current v0.9
  https://github.com/stefanberger/libtpms/releases/tag/v0.9.0
- Fix the ppc64 FTBFS
  https://launchpadlibrarian.net/557789130/buildlog_ubuntu-impish-ppc64el.libtpms_0.8.2-1ubuntu1_BUILDING.txt.gz
- Track and resolve https://github.com/stefanberger/libtpms/issues/215
  to ensure this works well with openssl3.0 in Ubuntu 22.04

Recommended TODOs:
- Right now it has no autopkgtest, maybe - like swtpm this could at least run
  the build time tests to spot things as early as dependency-update instead of
  "on the next rebuild"?
- The package should get a team bug subscriber before being promoted

[Duplication]
There are the tpm2-tss related packages, but those are for consumption of
real (or emulated) TPMs. No other package in main providing the same
functionality of emulating/mocking/faking a TPM in software.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (just libc and ssl)
  - checked with check-mir
  - not listed in seeded-in-ubuntu
  - none of the built reverse-depends are in universe
- no -dev/-debug/-doc packages that need exclusion (-dev exists but has no
  aggressive deps that would be a problem)
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats
- does deal with security attestation (secure boot, tpm, signatures)
- history of CVEs does look concerning
- Also the intended use case just yells "this needs a seucrity review"

[Common blockers]
OK:
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- additional testing by usage in swtpm and its tests is indirectly existing
- no new python2 dependency

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- does FTBFS currently (on PPC64)
  => https://launchpadlibrarian.net/557789130/buildlog_ubuntu-impish-ppc64el.libtpms_0.8.2-1ubuntu1_BUILDING.txt.gz
  I do not see why we would not need this on this arch, so for equivalency we
  have to fix it before promoting it

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking is in place (debian/libtpms0.symbols)
- d/watch is present and looks ok
- Upstream update history is regular and good
- Debian/Ubuntu update history is slightly slow, but ok (only exists since G)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- the current release is not packaged
  https://github.com/stefanberger/libtpms/releases/tag/v0.9.0

[Upstream red flags]
OK:
- no Errors/warnings during the build (a few -Wreturn-local-addr, nothing severe)
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- use of setuid, but ok because <TBD> (prefer systemd to set those
  for services)
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case

Problems:
- important open bugs (crashers, etc) in Debian or Ubuntu
  IMHO there is one worthile to track (but no immediate action needed)
  FIPS:  https://github.com/stefanberger/libtpms/issues/51
  But also one, that given we transition to openssl 3.0 we need to track
  and resolve:
  openssl3: https://github.com/stefanberger/libtpms/issues/215