Comment 5 for bug 1892559

[Summary]
This package needs some cleanup for better tests, symbols tracking and things
like lintian/dh_missing. No show stoppers thou, MIR Team kind-of-Ack under the
condition to try to improve these weak spots before promotion.
Please report here what has been done for that and summarize the new and
improved state of warnings and bugs to reduce concerns to get the final MIR Ack.

While the above isn't a full Ack yet it isn't too bad either. We don't have to
wait and block on it atm, this does needs a security review, so I'll assign
ubuntu-security now already.
Secuity manages MIR reviews via the subscription, to reflect that work is needed
in any case I'll set the state to incomplete also.

To be promoted to main: opensc + opensc-pkcs11

Required TODOs:
- some testing for the overall topic of smartcard usage as outlined in
  the ccid review
- subscribe a team to the bug (better now than later)
- plenty of libs, some seem internal, but still - please add symbols tracking
  where applicable to detect incompatibilities early
- check and resolve dh_missing
- too many crash bugs left, please do a bug squash and help to improve quality.
  Also see the suggestions below of "splitting the package" and "defined set
  of supported cards" to make this more manageable
Recommended TODOs:
- The tests at build time skip 3/4 subtests. Please evaluate if that can be
  improved.
- This package consists of many small tools, supporting (and thereby testing,
  recreating issues, ...) all of them can be hard. For supportability and
  install footprint it could be useful to check all these binaries and split
  some of them into an -extra package that will not be promoted.

[Duplication]
PKCS#15 card support providing PKCS#11 to the upper layers is the core piece
of opensc, this is the only SW doing that in the archive - no duplication.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning (many CVEs), but under control
  (all closed)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does parse data formats (from/to cards pkcs#15 and from/to higher layers
  pkcs#11)
- does deal with system authentication (eg, pam), etc)
  pam-pkcs#11 is directly involved with auth
=> It will need a security review

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider in that regard
- no new python2 dependency

Problems:
- the self tests it has at build time are mostly skipped
- does have a test suite that runs as autopkgtest
  (as discussed in ccid)
- The package has a team bug subscriber
  Do it early please!

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- d/rules is rather clean
- Does not have Built-Using

Problems:
- symbols tracking is not in place (some libs are reported without
  version at all - but that might be internal only libs)
  W: opensc-pkcs11: shared-library-lacks-version usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so onepin-opensc-pkcs11.so
  W: opensc-pkcs11: shared-library-lacks-version usr/lib/x86_64-linux-gnu/opensc-pkcs11.so opensc-pkcs11.so
  W: opensc-pkcs11: shared-library-lacks-version usr/lib/x86_64-linux-gnu/pkcs11-spy.so pkcs11-spy.so
- no massive Lintian warnings
  A few (see above) and in addition some dh_missing and missing man page
  warnings that should be looked after.

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks

Problem:
- many open bugs (even crashers, etc) in Debian or Ubuntu
  https://bugs.launchpad.net/ubuntu/+source/opensc
  https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=opensc
  There are plenty of bugs even segfaults, and from reading through them it
  might come back to what I predicted with the problem of various hardware.
  Again it might be worth to split the package and support&promotr only a
  subset.
  Also again please consider declaring somewhere formally a defined set of
  "supported cards" that you can really repro and test (on top of the promotion)