Comment 1 for bug 1990581

Review for Package: src:ruby-daemons

[Summary]
ruby-daemons is a wrapper which can put any ruby script into a daemonized
background process. Having approximately 188M downloads on rubygems.org
(as of Nov. 2022) it seems to be a quite popular gem.

MIR team ACK

This does not need a security review

List of specific binary packages to be promoted to main: ruby-daemons
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
- I was a bit concerned about Ruby's autodep8 tests being marked "skippable", as that could lead to (certain) test failures being treated as "neutral" and migrating broken packages. After reading a bit more into man
gem2deb-test-runner(1), I feel confident it should be working as expected.

- I am also concerned about the sporadic update history of ruby-daemons. There
seems to be not too much upstream activity and the package was just bumped to
the recent version for this MIR, skipping several years of updates in between.
It seems to be a pretty popular gem, though, and I hope we can improve the
update situation going forward, having the package in main and @lucaskanashiro
being the Debian maintainer as well.

Required TODOs: None \o/

Recommended TODOs:
#0 The package should get a team bug subscriber before being promoted
#1 warning during build (not sure if we can/should do anything about that):
dpkg-gencontrol: warning: Depends field of package ruby-daemons: substitution variable ${shlibs:Depends} used, but is not defined

[Duplication]
There is no other package in main providing the same functionality.
There are plenty of daemonizing gems available for ruby, some of which are in
the Ubuntu archive, too: https://www.ruby-toolbox.com/categories/daemonizing
None of those is in main, though.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency
- no Python package
- no Go package

Problems:
- autodep8/autopkgtest-pkg-ruby/gem2deb-test-runner SKIPPABLE 77: https://<email address hidden>/msg07449.html

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- Upstream update history is sporadic
- Debian/Ubuntu update history is sporadic

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None
- dpkg-gencontrol: warning: Depends field of package ruby-daemons: substitution variable ${shlibs:Depends} used, but is not defined