[MIR] raqm

xReview for Package: raqm

[Summary]
MIR team ACK, under the constraint that the autopktests possible enhancements are a little bit more explored (see below) and that check (I didn’t see any rationale in the request) on why raqm hasn’t been updated despite having new releases for a year now.

Recommended TODOs:
- check if the autopkgtests can be enhanced
- check why 0.7.1 and 0.7.2 ara available (from Nov 2020 for the former) without any update on debian/ubuntu. As the package hasn’t changed for multiple releases. I think those fixes are not distro-patched either.

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
  and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries

OK:
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- no new python2 dependency

Problems:
- the autopkgtest test is trivial: build it, run it, don’t check the output. Can we maybe check the output given known inputs and see what is returned is expected?

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is slow, but seems in maintainance mode
- Debian/Ubuntu update history is slow
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings (only older lintian version used)
- d/rules is rather clean
- It is not on the lto-disabled list
  (fix, or the work-around should be directly in the package,
  see https://launchpad.net/ubuntu/+source/lto-disabled-list)

Problems:
- the current release and previous one is not packaged. The previous release is more than one year old.

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit,...

Thanks for the swift review!

- check if the autopkgtests can be enhanced

I could add an autopkgtest to re-run the full test suite, but given the full test suite is already executed during the build itself, I'm not sure how much extra safety that buys us?

- check why 0.7.1 and 0.7.2 ara available (from Nov 2020 for the former) without any update on debian/ubuntu. As the package hasn’t changed for multiple releases. I think those fixes are not distro-patched either.

Looking at the upstream history it would appear that (so far) they've only dealt with bumps to the minor version (0.3, 0.5, 0.6, 0.7) and not to sub-minor releases (0.7.1). To see whether that results in missing anything important, I dug into the two releases that are currently not packaged:

Looking at the changes from 0.7.0 to 0.7.1 (https://github.com/HOST-Oman/libraqm/compare/v0.7.0...v0.7.1) it's entirely housekeeping (changing library requirements to fit their CI requirements), adding bits for other platform builds (macOS, Fedora), and removing legacy requirements (python 2; which was already patched upstream). In other words, I can understand why upstream didn't see a pressing need to package it yet (it doesn't fix any bugs, nor add any new functionality, and given the existence of the py3 patch, it doesn't remove any awkward build-deps either, though arguably it would remove the single patch against the orig-tar).

0.7.1 to 0.7.2 is rather more interesting (https://github.com/HOST-Oman/libraqm/compare/v0.7.1...v0.7.2), but also considerably more recent having only been released at the end of September this year. It does fix several bugs, but the majority of the changes are to do with the addition of the meson build system (and deprecation of autotools for future releases). The (relevant) bugs fixed are a failure with newer harfbuzz libraries (https://github.com/HOST-Oman/libraqm/issues/135), beyond the harfbuzz version currently in Debian/Ubuntu, leaving just the spacing of color emojis (https://github.com/HOST-Oman/libraqm/issues/123).

Sorry for the delayed response, but EOY holidays and such :)

Ack on the new versions. If you can see if we should backport some of the fixes in 0.7.2, I will let that to you…

On the autopkgtests, the question is how to protect raqm from it’s dependencies. If a dependency is changing, then only the autopkgtests will be rerun and we will notice any regression. This is in that sense (not in any upload itself, as indeed, this will technically run the same tests twice under the same condition: test during build and test during autopkgtests). However, this protects you in case of a dependency breaking raqm. Does it make sense? If the tests are only unit tests (but it seemed it uses some libraries), feel free to inform me and we can disregard (however, we will thus need a manual test plan as per MIR template request).

No problem on the delay :)

Looking at the 0.7.2 version I'm happy to ignore it for now. There are only two changes: one bug fix for spacing in emojis (minor) and the other fixes an ftbfs for libharfbuzz versions that aren't yet packaged in Debian/Ubuntu (in other words, there's no harm waiting for these to trickle through).

Good point on the autopkgtests -- I've opened LP: #1956769 to add a test to re-run the test suite for autopkgtest. As noted it'll mean some redundancy during builds but it's a pretty trivial package so that's no big deal.

ack, keep me posted once the autopkgtests are uploaded and I’m happy to ack the MIR :)

@didrocks LP: #1956769 has now been kindly sponsored by slyon; hopefully this should be good to go!

Excellent, thanks @waveform! MIR team ack. Promoting it right away as pillow is trying to pull it already.

raqm 0.7.0-4ubuntu1 in jammy: universe/misc -> main
libraqm-dev 0.7.0-4ubuntu1 in jammy amd64: universe/libdevel/optional/100% -> main
libraqm-dev 0.7.0-4ubuntu1 in jammy arm64: universe/libdevel/optional/100% -> main
libraqm-dev 0.7.0-4ubuntu1 in jammy armhf: universe/libdevel/optional/100% -> main
libraqm-dev 0.7.0-4ubuntu1 in jammy ppc64el: universe/libdevel/optional/100% -> main
libraqm-dev 0.7.0-4ubuntu1 in jammy riscv64: universe/libdevel/optional/100% -> main
libraqm-dev 0.7.0-4ubuntu1 in jammy s390x: universe/libdevel/optional/100% -> main
libraqm0 0.7.0-4ubuntu1 in jammy amd64: universe/libs/optional/100% -> main
libraqm0 0.7.0-4ubuntu1 in jammy arm64: universe/libs/optional/100% -> main
libraqm0 0.7.0-4ubuntu1 in jammy armhf: universe/libs/optional/100% -> main
libraqm0 0.7.0-4ubuntu1 in jammy ppc64el: universe/libs/optional/100% -> main
libraqm0 0.7.0-4ubuntu1 in jammy riscv64: universe/libs/optional/100% -> main
libraqm0 0.7.0-4ubuntu1 in jammy s390x: universe/libs/optional/100% -> main
Override [y|N]? y
13 publications overridden.