[Summary] This package is acceptable for MIR, with 2 concerns: 1) There has been no upstream release in years and neither Debian nor Ubuntu has actively pulled upstream bug fixes since the last upstream release. I would prefer to see more upstream bug fixes pulled into the Debian (and/or Ubuntu) package. Obviously, it would also be good for upstream to produce a new release, but that's out of scope here. 2) The 'realm' command may install other packages (e.g. adcli or samba) as needed, which is not ideal; I would prefer needed packages are added as actual dependencies. However, since needed packages can vary based on configuration (i.e. adcli or samba), it is arguably ok to attempt to install only needed deps from the 'realm' command. I would prefer if all packages that might be installed are listed as Recommends: so it's clear from the packaging perspective.
This does need a security review, so I'll assign ubuntu-security after the next MIR team mtg, if the team agrees with my review. Notes/TODOs: As I'm new to the MIR team, I am making this approval conditional on MIR team review of my review at the next MIR team mtg. [Duplication] - There is no other package in main providing the same functionality - Note: it is possible perform manual configuration/steps for similar functionality; this package automates and simplifies much of the manual work. [Dependencies] OK: - no other Dependencies to MIR due to this - does have Build-Depends: in universe, but all runtime deps are in main - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - Note, see Upstream red flags section - no static linking [Security] OK: - history of CVEs does not look concerning - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop Problems: - does parse data formats - does run a daemon as root - does deal with system authentication (eg, pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - added forced error to src pkg to verify - The package has a team bug subscriber - MIR requestor is subscribed to all realmd bugs in Ubuntu - translation is present - not a python package, no extra constraints to consider int hat regard - does include a single python3 script, but used only for build testing - no new python2 dependency - not golang package Problems: - does not have a test suite that runs as autopkgtest - this is probably ok, since there are build-time tests run, and this is a relatively simple package [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - does not provide any libs - d/watch is present and looks ok - the current release is packaged - However, as noted in Problems, last upstream relase was ~3.5 years ago - promoting this does not seem to cause issues for MOTUs that so far maintained the package - All maintenance work has been done in Debian, not Ubuntu - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using - Not Go Package Problems: - Upstream update history is slow - however, it is steady and consistent - of concern is last upstream release was ~3.5 years ago - Debian update history is slow - all Debian updates since last upstream release are fixes for build or test failures - does not appear to contain any bug fixes from upstream git since last upstream release - Ubuntu update history is nonexistent - no Ubuntu patches to package since Trusty [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks Problems: - single Errors during the build - manpage xml uses missing linkend ref; this is a minor issue that doesn't prevent manpage creation and can be ignored, but also could be easily fixed - embedded source file present - this embeds 'tap-driver' script from the 'cockpit' project, but it is used only for build-time testing. - important open bugs (crashers, etc) in Debian or Ubuntu - https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1333694 this does not appear to still be a bug in the latest release ** Changed in: realmd (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs