Comment 12 for bug 1746772
Revision history for this message
| Christian Ehrhardt (paelzer) wrote | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
This is a special case, as we have the newer versions already in main in Bionic.
Therefore the evaluation checks if the older version has CVEs, packaging issues and such - but is no full re-evaluation.
[Duplication]
No duplication, this is the python entrypoint for macaroons handling
[Embedded sources and static linking]
- no embedded sources
- no static linking
- no golang
[Security]
This is one of the biggest parts of the re-check as we need to ensure that the older version has no known or unmaintainable deficiencies
But it seems fine - no existing CVEs associated.
It still is security sensitive, as it's purpose is to handle tokens that entitle users of a given feature.
Therefore I'd want an ack by the ubuntu-security team - which given it is a re-review should go fast as well.
[Common blockers]
- builds fine in Xenial last time, I asked for a rebuild to prove that also trusty will be fine
- no tests at build time, but then this is only re-evaluating and the version in Bionic has not more
- the maas team is already subscribed to the package
- no user visible output that needs translation
- only python3 dependencies are used (but then for Xenial/Trusty this wouldn't even be important)
- dh_python is in use
[Packaging red flags]
- no ubunut Delta (the ubuntu1 comes by being a backport alrady)
- python library, no symbols management needed
- debian/watch present
- updates were ok so far (it isn't moving too fast thou)
- no massive Lintian warnings
- very clean d/rules (almost only dh @)
[Upstream red flags]
- no build errors on the Xenial version that will be added to main
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no open bugs
- no dependency on webkit, qtwebkit, seed or libgoa-*
Note on the Versions:
This will use the version 0.9.2 in Xenial for X&T, I checked the git log of https:/
Obviously there are fixes/improvments, but no blockers and nothing that would right now outweight the SRU risk pushing the newer version.
The only relevant seems "verification for nested third party caveats" which ua-tools triggering this MIR needs to check if they can live with it.
I discussed this already and tests with the version in Xenial as-is are good.
Security already monitors this and there are no major changes in place - therefore no security re-check needed.
Version differences of 0.9.2-0ubuntu1 in Xenial (and eventually Trusty) instead of the 0.13.0-1 that is in main are not too big as the package is mostly a wrapper for NaCl/Sodium functionality.
[Summary]
As expected - since the newer versions are already in main - this wasn't too critical.
After comparing the differences of the version in main in bionic to what shall be promoted in Xenial/Trusty there were no blockers identified.
TODOs:
@Chad - since this wasn't built a long time in Xenial and never before in Trusty. Could you please provide a PPA that builds the set of three packages in both Releases?
Assigned to Chad until PPAs are provided - once builds are shown to be good on X&T this can be approved.