[MIR] libhttp-cookiejar-perl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libhttp-cookiejar-perl (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
libwww-mechanize-perl (Debian) |
Fix Released
|
Unknown
|
|||
libwww-perl (Ubuntu) |
Fix Committed
|
Undecided
|
Ubuntu Foundations Bugs |
Bug Description
[Availability]
Architecture-all perl package present in Ubuntu since 2014. https:/
[Rationale]
Required by current libwww-perl in Debian. This duplicates / supersedes functionality already present in libhttp-
libwww-
[Security]
- No results on https:/
- only false positives on unrelated packages when searching site:www.
- 0 results on https:/
- 0 security issues on https:/
Package does not ship any executables, it's a perl module; but by definition it will be used to handle untrusted input from the Internet.
[Quality assurance - maintenance]
No open bugs at https:/
Single wishlist bug open at https:/
[Quality assurance - testing]
upstream tests are run via autodep8 and at package build time and pass on all archs https:/
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy; trivial dh debian/rules
[UI standards]
- n/a, perl module only
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be foundations-bugs and will subscribe to the package before promotion
[Background information]
The Package description explains the package well
Changed in libhttp-cookiejar-perl (Ubuntu): | |
milestone: | none → ubuntu-23.10 |
Changed in libhttp-cookiejar-perl (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
tags: | added: update-excuse |
Changed in libwww-perl (Ubuntu): | |
assignee: | nobody → Ubuntu Foundations Bugs (foundations-bugs) |
Changed in libwww-mechanize-perl (Debian): | |
status: | Unknown → New |
Changed in libwww-mechanize-perl (Debian): | |
status: | New → Fix Released |
Review for Package: libhttp- cookiejar- perl
[Summary] cookiejar- perl
Before giving the MIR ack, there is a pending question about the transition to this package to ensure we only have one perl cookie handler and don’t start having duplicated functionality from this perl lib.
Apart from that, the package needs a security review, so, once the opened question is solved, I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: libhttp-
Notes: cookies- perl. However, as you have rightly written, libwww- mechanize- perl is still a reverse-dependency of libhttp- cookies- perl. Is there any bug/plan to track and transition a full migration to libhttp- cookiejar- perl so that we don’t have to maintain both in the long term? As this package is there for some years already, should we be concerned the transition might never happen?
- Required TODOs:
Question to resolve: It's mentioned that this "safer cookie jar" is supposed to replace libhttp-
Recommended TODOs:
- The package should get a team bug subscriber before being promoted.
[Duplication] cookies- perl. However, as you have rightly written, libwww- mechanize- perl is still a reverse-dependency of libhttp- cookies- perl. Is there any bug/plan to track and transition a full migration to libhttp- cookiejar- perl so that we don’t have to maintain both in the long term? As this package is there for some years already, should we be concerned the transition might never happen?
It's mentioned that this "safer cookie jar" is supposed to replace libhttp-
[Dependencies] cookiejar- perl checked with `check-mir`
OK:
- no other Dependencies to MIR due to this
- libhttp-
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
Problems:
- does process arbitrary web content and parse data formats from an untrusted source and store them on disk. Require a security review then.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does not carry a delt...