FWIW, I did start the golang-gopkg-ini.v1 review before the discussion went to invalidate it, I will still post what I found in case we have another MIR one day.
golang-gopkg-ini.v1: [Summary] - Some work is needed as right now : * golang-github-smartystreets-goconvey-dev MIRing. Blocking this one - The rest looks good both from a packaging and code POV. - Needs security review for parsing data [Duplication] Nothing to add over the top request. Providing and use of Go native binding is welcome. [Dependencies] Needs fixing: - golang-gopkg-ini.v1-dev depends on golang-github-smartystreets-goconvey-dev which is in universe. One way would be to separate the _test.go files from regular code one. That way, only test files are using convey and no dependency is needed. We can hope that Depends:misc DTRT. - only one -dev package that needs to be in main due to the nature of Go library (statically linked) [Embedded sources and static linking] OK: - no embedded source present - only ship source code, so no static linking [Security] OK: - no CVEs, but really fresh new package. - it does use Go battle-proof http stack - does not use webkit2,2 - does not use lib*v9 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - parse data formats, but only in pure Go, via consts. If one day we promote it, it will need a security review - does not open a port - does not run a daemon as root [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time (but fairly minimal) - test suite fails will fail the build upon error. - no translation present, but none needed - not a python package, no extra constraints to consider int hat regard - Go package that uses dh-golang - Team subscription is now OK [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good, but short - there is no official release yet so it’s a git snapshot (latest upstream commit) - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is clean and minimal - Go package that follows the Debian Go packaging guidelines [Upstream red flags] OK: - standard and comprehensible Go code. - no use of go modules :-/ running go mod init though before running tests - CI is running as part of upstream build. One of the targetted plateform is ubuntu-latest. - no Errors/warnings during the build - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks - no upstream bug opened at this date (none over the lifetime of the project) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1891157 Title: [MIR] ipp-usb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-github-openprinting-goipp/+bug/1891157/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
