[Summary]
This is a small package that provides only a bash script and some
kernel postinst/prerm hooks.
There are no concerning problems with the package, so ACK from MIR team.
As this script deals with configuration of the boot-time menu, and thus
affects code started at boot time, this does need a security review,
so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: u-boot-menu
Notes:
There are 2 identified issues (aside from needing security review),
as listed in the details below, but I don't feel either are
important enough to block MIR:
1. There is no build-time or autopkgtest test cases, but this is a
single simple script.
2. The Ubuntu devel version lags behind Debian but only by a single
minor version.
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- no CVEs found
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does involve control of boot
[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber
- no translation present, but none needed for this case
- not a python/go package, no extra constraints to consider int hat regard
Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch not applicable, native package
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- Not Go Package
Problems:
- the current release is not packaged in hirsute, but 1 minor version behind
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
[Summary]
This is a small package that provides only a bash script and some
kernel postinst/prerm hooks.
There are no concerning problems with the package, so ACK from MIR team.
As this script deals with configuration of the boot-time menu, and thus
affects code started at boot time, this does need a security review,
so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: u-boot-menu
Notes:
There are 2 identified issues (aside from needing security review),
as listed in the details below, but I don't feel either are
important enough to block MIR:
1. There is no build-time or autopkgtest test cases, but this is a
single simple script.
2. The Ubuntu devel version lags behind Debian but only by a single
minor version.
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- no CVEs found
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does involve control of boot
[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber
- no translation present, but none needed for this case
- not a python/go package, no extra constraints to consider int hat regard
Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch not applicable, native package
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- Not Go Package
Problems:
- the current release is not packaged in hirsute, but 1 minor version behind
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks