I reviewed linux-firmware-raspi2 version 2-0ubuntu1 as checked into groovy. This is very quick pass over the package.
My concerns for this package are nearly identical to my concerns given in https://bugs.launchpad.net/ubuntu/+source/rpi-eeprom/+bug/1895137/comments/11 Thanks Dave for anticipating similar expectations for this package: https://bugs.launchpad.net/ubuntu/+source/linux-firmware-raspi2/+bug/1867813/comments/13 One concern I have with this package is the get-orig-source target downloads files without strong verification of file contents, it is trusting the github infrastructure and x.509 ecosystem to make sure incorrect files aren't downloaded by accident. This isn't ideal but also isn't restricted to this one package. Security team ACK for promoting linux-firmware-raspi2 to restricted. Thanks ** Changed in: linux-firmware-raspi2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867813 Title: [MIR] linux-firmware-raspi2 to restricted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-firmware-raspi2/+bug/1867813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs