[Summary] MIR Team Ack from packaging POV. This does need a security review, so I'll assign ubuntu-security
List specific binary packages to be promoted to main: golang-github- google-btree-dev [Duplication] Well, there are a lot of competing projects, the archive along has four btree implementations: - golang-github-petar-gollrb-dev - golang-github-tidwall-btree-dev - golang-github-cznic-b-dev - golang-github-google-btree-dev But the wider go community seems to have even more as you can see on this comparison: https://github.com/tv42/benchmark-ordered-map None of them is in main yet, so no duplication issue for support. But with more go packages coming this is one of the cases where unfortunately this is often a code-away behavior and not yet having a few de-facto libs the community settled on. At least golang-github-google-btree-dev seems to be high up in the usage count - so it might be the right decision anyway. golang-github-google-btree-dev was designed to follow the API of another common one golang-github-petar-gollrb-dev being a drop in replacement (at least intended to be that). By the docs of golang-github-google-btree-dev it is called "This implementation is designed to be a drop-in replacement to gollrb.LLRB trees, (http://github.com/petar/gollrb), an excellent and probably the most widely used ordered tree implementation in the Go ecosystem currently." This is ok for now, but if later golang-github-petar-gollrb-dev MIRs come by we might want to consider change them to use golang-github-google-btree-dev or vice versa. It seems functionally gollrb is a superset so that replacement only works in one direction, but OTOH gollrb is outdated (2013) so golang-github-google-btree-dev might be better after all for main. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present (also no vendored code) - no static linking (well, go but nothing else) [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats to build the tree This should be trivial and safe but there were CVEs on btree functions in the past (in pther projects) since this is <2k LOC a security review should be fast. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python package, no extra constraints to consider int hat regard - Go package that uses dh-golang Problems: - does not have a test suite that runs as autopkgtest For a low level lib unit&high-level tests are often the same, so that is not perfect but probably ok. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is ok (at least they have a release instead just git commits) - Debian/Ubuntu update history is ok - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean (very much so!) - Does not have Built-Using - Go Package that follows the Debian Go packaging guidelines [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (Go) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Changed in: golang-github-google-btree (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1894731 Title: [MIR] golang-*, Go build dependencies of google-guest-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-github-gcp-guest-logging-go/+bug/1894731/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs