© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
[Summary]
- looks up to date and well packaged
- MIR Team ack (constraint to add the subscription before promotion)
- Needs security review
- subscribing and assigning to security now
- some minimal optional improvements that should be looked at briefly at least
- over-linking warnings by dpkg-shlibdeps
[Duplication]
- No duplication issue as there isn't another tool/lib providing the same functionality atm.
[Embedded sources and static linking]
- No embedded sources
- No static linking
[Security]
- No history of CVEs
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not processes arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
It does:
- parses data formats (from its CTL programs as well as through the libs API)
Compared to other packages this doesn't have a lot of security exposure at first (network, ...), but
it is responsible to manage your (persistent) memory and therefore can be considered important
to not allow access to areas users should have none.
Also tools known to use the libs could be tricked into bug by modifying the (virtual) system environment.
So the stability of the tools is important for potentially further programs.
Therefore despite not ticking a lot of "security concern" check-boxes I'd ask for a security review to be on the safe side.
[Common blockers]
- builds fine atm
- bug subscriber is clear and will be done at promotion of the package
- no translations available, but this is not facing non-experienced end users
- no python package for extra checks in that regard
- it does have a test suite, but atm all tests are skipped at build time!
It seems it needs to load modules to test, which won't work in build-env
One might think those tests might easily be converted to an autopkgtest
but it is not the main modules that it needs.
It needs a special test module from tools/testing/
any linux-* package and therefore hard to get right in an autopkgtest
environment. Therefore consider this ok for now as-is.
[Packaging red flags]
- no Ubuntu delta
- symbols tracking in place
- d/watch is fine
- regular update history
- latest release is packaged
- no issues for MOTUs when promoted
- no massive Lintian warnings
- d/rules is rather clear
- no Built-Using present
- no golang involved
[Upstream red flags]
- no Errors/warnings during the build
- no Incautious use of malloc/sprintf
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no major bugs in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not scope for UI