© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
[Summary]
MIR Team ack to this package.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: libmarisa0
Recommended TODOs:
- upstream provides tests in test/*, could those be enabled at build time?
[Duplication]
There is no other package in main providing the same functionality.
I mean obviously there are many data-structure helpers, but this one in
particular isn't available elsewhere. It is not a one-off just for
opencc, also librime and libkkc2 are using it which seems reasonable.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
Depends: libc6 (>= 2.33), libgcc-s1 (>= 3.0), libstdc++6 (>= 5.2)
- has libmarisa-dev which will be auto-promoted, but that has no deps
other than libmarisa0 itself
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- there are some maintenance artifacts in the tarball, but none seems
problematic and none goes into the binaries that we will promote.
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does parse data formats and translate them into the data structures this
provides. This would usually be done in the context of the user-input which
doesn't sound like a very critical attach surface. OTOH I don't want to hear
that e.g. all Ubuntu input boxes can be broken by a special input string or
such. Therefore I think it is worth to pass this through a security review
as well.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber (an intend-to-sub by the Desktop Team)
- no translation present, but this is not the Ui but a background feature
- not a python/go package, no extra constraints to consider in that regard
Problems:
- does not have a test suite that runs at build time
But I think that is covered by the autopkgtests, never the less there is an
upstream provided test collection, having that on build would be awesome.
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place (the version we have synced from
experimental contains it)
- d/watch is present and looks ok
- Upstream update history slow, but ok (seems more stable than a lack of attention)
- Debian/Ubuntu update history is ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- Does not have Built-Using
Problems:
- d/rules isn't the cleanest, but nothing that would block this
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks