Review for Package: libwpe [Summary] This library LGTM, it is well maintained and written as far as I could check. The only sad aspect is the suboptimal test story that you already identified yourself. MIR team ACK. I was going back and forth if in this case adding more tests is required or recommended. I've ended up with "recommended" as high level tests are done as part of higher level autopkgtest. But consider at least trying to add at least some unit-tests at build time rather strongly recommended. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: libwpe-1.0-1 Specific binary packages built, but NOT to be promoted to main: Notes: Recommended TODOs: - You already know the testing is weak, the higher level tets in webkit2gtk seems fine for autopkgtest, but is there something we could do at the lower level in the lib itself for build time checks? - The package should get a team bug subscriber before being promoted, but I know you are aware of that already [Duplication] There is no other package in main providing the same functionality. The renderer used right now is actively deprecated by upstream as outlined in the initial report. [Dependencies] OK: - No other Dependencies to MIR due to this (all in main already) - No -dev/-debug/-doc packages that need exclusion (all follow on deps in main) - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - embedded source present (directory subprojects) but not used in Ubuntu builds - no static linking - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard Problems: None [Security] OK: - does not run a daemon as root - does not use webkit1,2 (in fact it is the inverse, allowing webkit on gtk) - does not use lib*v8 directly - does not open a port/socket - does not use centralized online accounts - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - history of CVEs does look concerning - not for this library in particular but for the overall webkitgtk stack there are many - does not integrate arbitrary javascript into the desktop - I can't say it is aritrary but it is an HTML renderer for GTK, so it will have all the attack surface of such. - does parse data formats - does process arbitrary web content - again maybe not arbitrary, but definetly it will parse content from various sources => This clearly is enough to need also a security review. [Common blockers] OK: - does not FTBFS currently - does not need special HW to test - no new python2 dependency Problems: - does not have a non-trivial test suite that runs as autopkgtest But since this is just a lib it is ok to test it at a higher level which happens once we build webkit2gtk with it as backend. That seeems sufficient to me for autopkgtests. - does not have a test suite that runs at build time That - at least for the micro-levels e.g. a unit test to ensure fixes/delta/build-options do not break thing would be helpful [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Debian/Ubuntu update history is ok - the current release is packaged (odd numbers liuke 1.13.1 / 1.13.2 are development interim releases - it is not a problem to not pick them up; the next will be 1.14 which isn't released yet) - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - It is not on the lto-disabled list (wpewebkit is, but not this) Problems: None [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* (helping to avoid them) - part of the UI, but not an app - no need for desktop as lib - no translation present, but none needed for this case (lib only) Problems: None