Main Inclusion Report (Eucalyptus dependencies set 2)

MIR report for dnsjava

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/d/dnsjava/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only a Java library (jar file)
 * Network activity: provides DNS-related functions
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * Package is only available in Ubuntu right now. Should be adopted in Debian very soon
 * Upstream is vigorous
 * Upstream bug tracker: http://sourceforge.net/tracker/?group_id=18000&atid=118000, no critical bugs
 * Hardware: package doesn't deal with hardware
 * There is a test suite in upstream packaging and it is enabled in the Debian packaging
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, uses simple-patchsys
== Dependencies not in main ==
 * None
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Canonical Server team (through myself) is responsible for monitoring the package until it gets adopted by Debian Java and Ubuntu Java teams.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software "dnsjava"
== Internationalization ==
 * n/a

MIR report for jug

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/j/jug/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only a Java library (jar file)
 * No network activity
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * Package is only available in Ubuntu right now. Should be adopted in Debian very soon
 * Upstream is calm.
 * Upstream bug tracker: http://jira.safehaus.org, no relevant bugs
 * Hardware: current package doesn't deal with hardware
 * There is a test suite in upstream packaging and it is enabled in the Debian packaging
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, uses simple-patchsys
== Dependencies not in main ==
 * None
== Maintenance ==
 * Package is a Java library without known bugs or expected updates
 * Very low maintenance cost is expected
 * The Canonical Server team (through myself) is responsible for monitoring the package until it gets adopted by Debian Java and Ubuntu Java teams.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software "Jug"
== Internationalization ==
 * n/a

MIR report for libaxiom-java

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/liba/libaxiom-java/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only a set of Java libraries (jar files)
 * No network activity
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * Package is only available in Ubuntu right now. Should be adopted in Debian very soon
 * Upstream is vigorous
 * Upstream bug tracker: http://issues.apache.org/jira/browse/WSCOMMONS, no critical bugs
 * Hardware: package doesn't deal with hardware
 * There is a test suite in upstream packaging and it is enabled in the Debian packaging
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * None
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Canonical Server team (through myself) is responsible for monitoring the package until it gets adopted by Debian Java and Ubuntu Java teams.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software "Apache AXIOM"
== Internationalization ==
 * n/a

MIR report for libslf4j-java

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/libs/libslf4j-java/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only a set of Java libraries (jar files)
 * No network activity
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * No Debian bugs, Maintenance in Debian is vigorous
 * Upstream is vigorous
 * Upstream bug tracker: http://bugzilla.slf4j.org/query.cgi?product=SLF4J, no relevant bugs
 * Hardware: package doesn't deal with hardware
 * There is a a test suite in upstream packaging, but it is maven-powered so not enabled in Debian packaging.
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package still uses gcj-compat-dev to build, compiling with openjdk breaks testsuite
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * Build depends, Depends on libjavassist-java, see MIR in this same bug
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Debian and Ubuntu Java teams are responsible for monitoring the package.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software SLF4J
== Internationalization ==
 * n/a

MIR report for javassist

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/j/javassist/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only one Java library (jar file)
 * No network activity
 * No binary processing, however it's a bytecode edition library
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * No Debian bugs, Maintenance in Debian is vigorous
 * Upstream is vigorous
 * Upstream bug tracker: https://jira.jboss.org/jira/browse/JASSIST, no relevant bugs
 * Hardware: package doesn't deal with hardware
 * There is a a test suite in upstream packaging, but it is not enabled in Debian packaging.
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * None
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Debian and Ubuntu Java teams are responsible for monitoring the package.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software Javassist
== Internationalization ==
 * n/a

MIR report for libxml-security-java

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/libx/libxml-security-java/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only one Java library (jar file)
 * No network activity
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * No Debian bugs, Maintenance in Debian is vigorous
 * Upstream is vigorous
 * Upstream bug tracker: https://issues.apache.org/bugzilla, no relevant bugs
 * Hardware: package doesn't deal with hardware
 * There is a a test suite in upstream packaging, but it is not enabled in Debian packaging.
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * None
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Debian and Ubuntu Java teams are responsible for monitoring the package.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software Apache XML Security
== Internationalization ==
 * n/a

MIR report for mvel

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/m/mvel/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only one Java library (jar file)
 * No network activity
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * Package is only available in Ubuntu right now. Should be adopted in Debian very soon
 * Upstream is vigorous
 * Upstream bug tracker: http://jira.codehaus.org/browse/MVEL, no relevant bugs
 * Hardware: package doesn't deal with hardware
 * There is no test suite in upstream packaging.
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * None
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Canonical Server team (through myself) is responsible for monitoring the package until it gets adopted by Debian Java and Ubuntu Java teams.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software MVEL
== Internationalization ==
 * n/a

MIR report for netty

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/n/netty/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only one Java library (jar file)
 * It's a framework to build network-powered client-server applications
 * No binary processing
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * Package is only available in Ubuntu right now. Should be adopted in Debian very soon
 * Upstream is vigorous
 * Upstream bug tracker: https://jira.jboss.org/jira/browse/NETTY, no relevant bugs
 * Hardware: package doesn't deal with hardware
 * There is some testing in upstream packaging, but it is maven-powered so not enabled in Debian packaging.
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * Depends on libslf4j-java to build, see MIR in this same bug
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Canonical Server team (through myself) is responsible for monitoring the package until it gets adopted by Debian Java and Ubuntu Java teams.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software Netty
== Internationalization ==
 * n/a

MIR report for wss4j

== Availability ==
 * http://archive.ubuntu.com/ubuntu/pool/universe/w/wss4j/, arch-all package
== Security ==
 * No CVE entries, no Secunia history.
 * No binaries, only one Java library (jar file)
 * No network activity
 * Binary processing: Can be used to verify SOAP Messages with encoded WS-Security information
 * Source code review: none
== Quality assurance ==
 * Package works out of the box without configuration, no debconf questions
 * Package is only available in Ubuntu right now. Should be adopted in Debian very soon
 * Upstream is calm
 * Upstream bug tracker: http://issues.apache.org/jira/browse/WSS, no relevant bugs
 * Hardware: package doesn't deal with hardware
 * There is a a test suite in upstream packaging, but it is not enabled in Debian packaging.
== UI standards ==
 * n/a
== Standards compliance ==
 * Package is compliant with FHS
 * Debian policy: compliant
 * Package is compliant with current Ubuntu Java packaging rules
 * Packaging system: classic CDBS/ant build, no patches
== Dependencies not in main ==
 * Build depends on libxml-security-java, see MIR in this same bug
== Maintenance ==
 * Package is a Java library without known bugs
 * Low maintenance cost is expected
 * The Canonical Server team (through myself) is responsible for monitoring the package until it gets adopted by Debian Java and Ubuntu Java teams.
== Background information ==
 * Purpose of package is clear from debian/control description
 * Upstream calls this software WSS4J
== Internationalization ==
 * n/a

NEW review showed the following:

  * wss4j: no issues.
  * netty: some files included apparently without source, notably doc/guide/pdf/netty.pdf
     and doc/guide/eclipse/images/architecture.odg (and other instances of that file), LGPL licensed.
  * mvel: no issues.
  * jug: dual licensed, but only one of those specified in debian/copyright, has some code under com.ccg, where
     most is org.safehaus, possible embedding or copyright infringement, doesn't look like the former.
  * dnsjava: no issues.

Thanks,

James

libxml-security-java:
  CVE-2009-0217:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
  http://svn.apache.org/viewvc/xml/security/trunk/src/org/apache/xml/security/algorithms/implementations/IntegrityHmac.java?r1=794013&r2=794012&pathrev=794013
  1.4.3 fixes it: http://santuario.apache.org/dist/java-library/

dnsjava: +1, I've confirmed that it is using a random ID generator, and does not appear to implement a server-side listener which may have weak source port allocations.

jug: tiny and simple, +1 if license issues can be resolved (see james_w above).

mvel: +1 as long as the tests are made to be enabled at build-time.

netty: +1 as long as:
 - the tests are made to be enabled at build-time.
 - the sourceless files are removed (as noted by james_w above)

wss4j: approved, though I wish it had a test-suite given the other similar WS-Security implementations that have had CVEs lately: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=WS-Security

  * netty: I'm not sure where the LGPL stands on requiring source, check with another archive admin before taking action

One I missed from this report:

  * libaxiom-java: no issues found

javassist: +1

libaxiom-java: +1

libslf4j-java: approved if tests can be enabled in build:
./slf4j-nop/src/test
./slf4j-migrator/src/test
./slf4j-simple/src/test
./jcl-over-slf4j/src/test
./slf4j-log4j12/src/test
./slf4j-jcl/src/test
./slf4j-jdk14/src/test
./slf4j-ext/src/test
./log4j-over-slf4j/src/test
./slf4j-api/src/test
./jul-to-slf4j/src/test
./integration/src/test

libxml-security-java was updated to 1.4.3.

Uploaded a jug update with mention of dual licensing in debian/copyright.

Note that the code under com.ccg is part of JUG as much as the code under org.safehaus, and does not result from embedding or copyright violation. It's code contributed to JUG from Paul Blankenbaker. See http://jug.safehaus.org/curr/release-notes/CREDITS for details.

Tests in MVEL are not enabled because they rely on a non-packaged third-party JAR (ognl.jar) and tests don't even compile without it...

Tests in netty are not enabled because they rely on a non-packaged third-party JAR (easymockclassextension.jar) and tests don't even compile without it...

I repackaged the orig tarball to get rid of sourceless doc and uploaded it.

mvel, netty, jug: approved.

libxml-security-java: approved.

Testsuites were enabled in libslf4j-java, see bug 429340 for details.

Approved by kees at https://wiki.ubuntu.com/EucalyptusInMainSpec/Packages