Comment 13 for bug 1892559
Revision history for this message
| Christian Ehrhardt (paelzer) wrote Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite | #13 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
## pcsc-lite ##
[Summary]
Mir Team ACK under the condition that the required TODOs are resolved.
While the owning Team should look at that security can already start
a review.
This does need a security review, so I'll assign ubuntu-security
list specific binary packages to be promoted to main: pcscd, libpcsclite1
Clarifications:
- @Seth - the filing is done as if one would only need libpcsclite1 but Joy
said in comment #12 that pcscd is also needed.
Could you clarify which is true as the security risk increases if we add
the daemon as well.
For now I'll go on as if the daemon would be part of it.
Required TODOs:
- The package has no team bug subscriber - please fix
- Please look into open bugs and crashes before we promote.
Do a bug-scrub and ensure we know what is outdated and no more true
and what else is still an issue. This can be seen as preview to the
latter maintenance - so don't skip all of them due to "don't have
the HW" :-)
[Duplication]
There is no other package in main providing the same functionality.
Note: Joy checked if the other bits can do it without but it is required.
See comment #12.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- one -dev package that will be auto-promoted but no bad deps from there
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look too concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
Problems:
- does parse data formats
- does open a port
- does deal with system authentication (eg, pam), etc)
This needs a security review, before doing so please clarify if the daemon
pcscsd is part of the scope.
[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider int hat regard
Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
We have talked about tests before, no reason to re-iterate
- The package has no team bug subscriber - please fix
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks