[Summary] MIR Team nack until the unbundling of libfdt was checked and either done or reasonably explained why it is undoable + a security ack on the exception to do so. Furthermore I'd strongly recommend to add an autopkgtest for it before we promote it. Report back here once those are resolved, to get an MIR-Ack and passing it along to the security team then. Setting the state abck to invalid to reflect that the action is on the reporter. Notes: - if it can't work against libfdt1 from the archive we will need security to consider if this is ok as a special case or a no-go. Required TODOs: - embedded libfdt is outdated and well, embedded. Please build and link against the libfdt1 / libfdt-dev that is in main. Recommended TODOs: - Self-tests are essentially non-existent. I'd be slightly scared of breakage even due to other components or by the toolchain used on build. Could we add a autopkgtest that uses this to boot a minimal riscv system? [Duplication] OK: There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no static linking in the usual sense. As outlined when filing the result are elf object without runtime dependencies to load on boot. The one problem in this is libfdt (see below) Problems: - embedded source present - libfdt This contains, builds and uses a contained libfdt This package exists in the archive and in main libfdt1 | 1.5.1-1 | focal libfdt1 | 1.6.0-1 | groovy libfdt1 | 1.6.0-1 | hirsute The bundled code is outdated (on 1.5.1 atm). Due to being a static link anyway - after a fix of src:device-tree-compiler that provided libfdt a rebuild of src:opensbi would be needed anyway. But we won't know if fixed are monitored the same way and/or applicable to the bundled code. The code itself is rather stable, no public API change since 1.2. Please try if this can build and (static) link with the in-distro libfdt. If we can't it is up to security to decide if that is ok or a problem that should be blocked on. [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - as outlined by the reporter this runs in the highes possible privilege mode. Combined with the issues around libfdt I'd recommend security having a look. [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider int hat regard - no new python2 dependency Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest Since Risc is emulated anyway this should work in autopkgtest. Could we carry a blob that could be test-booted in an autopkgtest please? [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks