[Summary] This is s small and safe library, mostly based on code that was in main before. It is ok to be promoted (MIR Team Ack) once the following points are resolved. Incomplete until those are resolved ...
Required before promotion: - the foundations-team needs to be subscribed to src:libubootenv. Optional, but recommended before promotion: - fix d/watch - provide a symbols file even for a 0.1 lib if it seems reasonable [Duplication] OK: Function wise this has two purposes: - library (doesn't exist in other places) - tools fw_printenv fw_setenv were in u-boot but removed from there. No duplication issue [Dependencies] OK: - no other Dependencies to MIR due to this - a -dev packages that seems ok to promote as well [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats, but in a really non introusive way and based on u-boot code that already was reviewed and in main. That alone doesn't make it need a security review IMHO. [Common blockers] OK: - does not FTBFS currently - no translation present, but none needed for this case (user visible)? - not a python package, no extra constraints to consider int hat regard - no new python2 dependency - No Python/Go package Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest This is bit weak, but I agree that it is tested in all the arm/Pi booting implicitly. - The package has a team bug subscriber That is a real issue that needs to be fixed before promotion [Packaging red flags] OK: - Ubuntu does not carry a delta - Upstream update history is (good/slow/sporadic) - Debian/Ubuntu update history is (good/slow/sporadic) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using Problems: - symbols tracking not applicable for this kind of code. Yeah it could be done, but it is intentionally a 0.1 to reflect it isn't stable yet Never the less it is almost no cost and helps to realize changes - d/watch is present and looks ok The current entries do not work uscan info: Requesting URL: https://github.com/sbabic/libubootenv uscan info: Matching pattern: (?:(?:https://github.com)?\/sbabic\/libubootenv)?.*/v?(\d\S*)\.tar\.gz uscan warn: In debian/watch no matching files for watch line https://github.com/sbabic/libubootenv .*/v?(\d\S*)\.tar\.gz [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Changed in: libubootenv (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885142 Title: [MIR] libubootenv-tool, libubootenv0.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libubootenv/+bug/1885142/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
