[MIR] twitter-bootstrap3 as dependency of mailman3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
twitter-bootstrap3 (Ubuntu) |
In Progress
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package is already universe for quite a while and build/works fine so far.
It is for example already used for https:/
OTOH it seems to be a pretty common project https:/
For the mailman stack we'd pull in both binaries for fonts-glyphicon
[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:
Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.
I know this is dragging in a lot of components, but mailman3 was re-implmented
using common frameworks and that meands django, node, ...
[Security]
This is one of the components of overall mailman3 stack that is not looking so good.
We know of 7 CVEs of which only one is known fixed.
The rest would need analysis and triage to be sure
=> https:/
When checking on Mitre almost all of them are listed as "before 3.4" and Disco is on 3.4.0
=> http://
That leaves open:
=> http://
It is up to the security Team to rate that and clarify if the version we have is affected or if the problem is not important.
Note: The archive also has libjs-bootstrap4 4.3.1 , but upstream seems to continue both series.
So we can follow Debian/
[Quality assurance]
As part of the mailman3 stacks as of now (Disco) this installs fine and works fine.
On itself it is useful to (many) other dependencies and does not need a post install configuration on its own.
The package does not ask debconf questions.
No known bug in Ubuntu for this.
Debian has three non important low prio bugs open.
Upstream seems very active (or they had spammers in their issue tracker) but there are 295 open and 18007 closed bugs.
But also there are 64k Forks of the project, so numbers above might be true and this is important to our community?!
Yet to answer if they want/need an in-archvie version I don't know their usual delivery model enough.
The package seems to get regular updates by upstream and Debian.
No exotic HW involved.
The package does ship a few unitests in js/tests/unit/ but they are not running on build.
It recently added autopkgtests which compress (and thereby check) the created .js files.
No Lintian warning except a few newer Standards/Compat versions and watch GPG checks - nothing severe.
The package does not rely on demoted or obsolete packages.
Although there is a new major version twitter-bootstrap4 and we might want to ensure that we are on the latest track and not get bit-rot with V3.
If we need this for the promotion is up to the security team (see section above) but I have marked it as an optional pre 20.04 task already.
No new gt2k dependencies
[UI standards]
Internationaliz
I haven't found the code for it, but it seems at least to exist "some way"
No End-user applications that needs a standard conformant desktop file.
[Dependencies]
Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.
[Standards compliance]
The package meets the FHS and Debian Policy standards.
The packaging itself is complex as well, with many special cases.
Nothing totally insane fortuantely, but more potential bits to understand when providing service.
[Maintenance]
The Server team will subscribe for the package for maintenance
[Background]
The package description explains the general purpose and context of the package well.
CVE References
Changed in twitter-bootstrap3 (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
FYI: the package is also:
a) more complex
b) more likely to be a Deny or at least extra work to be triggered
Therefore I'm on next weeks meeting passing the review of this one to a fellow MIR team member