[Summary]
This package is acceptable for MIR, with 2 concerns:

1) There has been no upstream release in years and neither Debian nor
   Ubuntu has actively pulled upstream bug fixes since the last upstream
   release.  I would prefer to see more upstream bug fixes pulled into
   the Debian (and/or Ubuntu) package.  Obviously, it would also be good
   for upstream to produce a new release, but that's out of scope here.
2) The 'realm' command may install other packages (e.g. adcli or samba)
   as needed, which is not ideal; I would prefer needed packages are
   added as actual dependencies.  However, since needed packages can
   vary based on configuration (i.e. adcli or samba), it is arguably
   ok to attempt to install only needed deps from the 'realm' command.
   I would prefer if all packages that might be installed are listed
   as Recommends: so it's clear from the packaging perspective.

This does need a security review, so I'll assign ubuntu-security after
the next MIR team mtg, if the team agrees with my review.

Notes/TODOs:
As I'm new to the MIR team, I am making this approval conditional on
MIR team review of my review at the next MIR team mtg.

[Duplication]
- There is no other package in main providing the same functionality
  - Note: it is possible perform manual configuration/steps for
    similar functionality; this package automates and simplifies much
    of the manual work.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - does have Build-Depends: in universe, but all runtime deps are in main
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
  - Note, see Upstream red flags section
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does parse data formats
- does run a daemon as root
- does deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
    - added forced error to src pkg to verify
- The package has a team bug subscriber
  - MIR requestor is subscribed to all realmd bugs in Ubuntu
- translation is present
- not a python package, no extra constraints to consider int hat regard
  - does include a single python3 script, but used only for build testing
- no new python2 dependency
- not golang package

Problems:
- does not have a test suite that runs as autopkgtest
  - this is probably ok, since there are build-time tests run, and this
    is a relatively simple package

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
  - does not provide any libs
- d/watch is present and looks ok
- the current release is packaged
  - However, as noted in Problems, last upstream relase was ~3.5 years ago
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
  - All maintenance work has been done in Debian, not Ubuntu
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- Not Go Package

Problems:
- Upstream update history is slow
  - however, it is steady and consistent
  - of concern is last upstream release was ~3.5 years ago
- Debian update history is slow
  - all Debian updates since last upstream release are fixes for
    build or test failures
  - does not appear to contain any bug fixes from upstream git since
    last upstream release
- Ubuntu update history is nonexistent
  - no Ubuntu patches to package since Trusty

[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Problems:
- single Errors during the build
  - manpage xml uses missing linkend ref; this is a minor issue that doesn't
    prevent manpage creation and can be ignored, but also could be easily fixed
- embedded source file present
  - this embeds 'tap-driver' script from the 'cockpit' project,
    but it is used only for build-time testing.
- important open bugs (crashers, etc) in Debian or Ubuntu
  - https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1333694
    this does not appear to still be a bug in the latest release

** Changed in: realmd (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868154

Title:
  [MIR] realmd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to