Review for Source Package: wsl-pro-service

The package is only available on Noble so far, so this review only applies to the Noble version. But I've created bug targets for Focal+ LTS releases as requested, to track future MIR process on the backports.

[Summary]
Wsl-pro-service serves as a bridge between the WSL agent running on Windows
and Ubuntu instances. It controls the Pro and Landscape status. The MIR was
very nicely prepared and the package is in an overall good shapre, but 

MIR team ACK (with some recommended TODOs)

This does need a security review

List of specific binary packages to be promoted to main: wsl-pro-service
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
#0 This needs security review, due to statically built vendored dependencies,
   parsing JSON & gRPC data over a network socket and running a daemon as root.
#1 It depends on centralized "Ubuntu Pro" online accounts
#2 The upstream release process is a bit intransparent (no releases tagged
   on github) and it only saw 2 uploads into Ubuntu so far, so does not have
   a long track record.

Required TODOs:
- None

Recommended TODOs:
#3 Please investigate those lintian errors:
- E: wsl-pro-service source: missing-notice-file-for-apache-license [vendor/google.golang.org/grpc/
- E: wsl-pro-service source: missing-notice-file-for-apache-license [vendor/gopkg.in/yaml.v3/NOTICE]
#4 Please investigate this build-time warning:
- dpkg-gencontrol: warning: Built-Using field of package wsl-pro-service: substitution variable ${misc:Built-Using} used, but is not defined

[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
A team is committed to own long term maintenance of this package. (~desktop-packages)
The rationale given in the report seems valid and useful for Ubuntu (WSL)

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- Go Package that follows the Debian Go packaging guidelines
- vendoring is used, but the reasoning is sufficiently explained
- golang: static builds are used, the team confirmed their commitment
  to the additional responsibilities implied by static builds.
- not a rust package, no extra constraints to consider in that regard
- Includes vendored code, the package has documented how to refresh this
  code at: https://github.com/canonical/ubuntu-pro-for-wsl/blob/main/wsl-pro-service/debian/update-internal-dependencies

Problems:
- embedded source present
- static linking
- does have Built-Using entries

[Security]
OK:
- history of CVEs does not look concerning (but it's a very recent package)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (dropping permissions, using temporary environments,
  restricted users/groups, seccomp, systemd isolation features,
  apparmor, ...)

Problems:
- This is a very recent package, without CVE history
- Running a daemon as root
- does parse data formats (files [json], network packets, structures, ...) from
  an untrusted source. (gRPC from Windows)
- does expose any external endpoint (port/socket/... or similar): gRPC from Windows
- does use centralized online accounts: Ubuntu Pro
- does deal with cryptography: mangles Landscape SSL certificates

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Not a Python package
- Go package, but using dh-golang

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- debian/watch is not present but also not needed (e.g. native)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems:
- Upstream update history is sporadic (no releases tagged on github)
- Debian/Ubuntu update history is sporadic (only 2 uploads so far)
- Lintian errors:
E: wsl-pro-service source: missing-notice-file-for-apache-license [vendor/google.golang.org/grpc/
E: wsl-pro-service source: missing-notice-file-for-apache-license [vendor/gopkg.in/yaml.v3/NOTICE]

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- translation present, but none needed for this case

Problems:
- some usage of "unsafe" code, especially in vendored dependencies
- Warnings during the build
dpkg-gencontrol: warning: Built-Using field of package wsl-pro-service: substitution variable ${misc:Built-Using} used, but is not defined