I reviewed ruby-childprocess 4.1.0-1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > Cross-platform Ruby library for managing child processes. - CVE History: - none - CVE-2021-23352 is not related to Ruby or ruby-childprocess - upstream GitHub issue tracker is extremely well maintained - no Security Policy and no contact info in README - Build-Depends? - lunar main - debhelper-compat (debhelper) - glibc (locales-all) - procps - lunar universe - gem2deb - ruby-rspec - ruby-coveralls - ruby-ffi - yard - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - none - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - has autopkgtests - passing for >= jammy - contains some build tests - cron jobs? - cron - Build logs: - nothing significant - Processes spawned? - childprocess has many process functions - e.g., - ./lib/childprocess.rb defines close_on_exec() - ./lib/childprocess/unix/fork_exec_process.rb - ./lib/childprocess/unix/posix_spawn_process.rb - exit result checks could be added - e.g., will a forked process run properly if @io or @cwd are false? - these modules _should_ exist, what happens when `if` statements are removed - generator.rb's execute() compiles arbitrary C code - assuming this is trusted input - downstream MIRs must be check if input is safe - otherwise looks okay - Memory management? - heavy use of FFI - commit d9b1580 is for Rubinus only - allocating memory size appears safe - File IO? - FileActions class wraps file IO functions - part of library - PosixSpawnProcess and Generator class' file use looks safe - Logging? - raises FFI errors where pertinent - errors defined in lib/childprocess/errors.rb - Environment variable usage? - env variables are managed when forking processes - generator reads CC - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - none - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck results? - none - Any significant Coverity results? - none - Any significant shellcheck results? - none - Any significant bandit results? - none - Any significant rubocop results? - none - rubocop complains about eval in spec files Project is well maintained. Some error message include a url asking users to file GitHub issues, +1 Many functions, such as close_on_exec(), support using jruby. jruby is listed as a requirement in upstream's README. It is not part of the d/control. Files dedicated to jruby in ruby-childprocess require java. Comments in the code mention that jruby has edgecases that need to be handled. jruby exclusive code was not reviewed. I tested a patch that removed lib/childprocess/jruby* and it built--no further testing was attempting. Please consider removing jruby. ruby-childprocess' generator.rb is dangerous in the same way that ruby-ffi is. Each effectively provides a C compiler at runtime. It would be great if this feature was not needed. Security team ACK for promoting ruby-childprocess to main.