[Summary] This is a small package that provides only a bash script and some kernel postinst/prerm hooks.
There are no concerning problems with the package, so ACK from MIR team. As this script deals with configuration of the boot-time menu, and thus affects code started at boot time, this does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: u-boot-menu Notes: There are 2 identified issues (aside from needing security review), as listed in the details below, but I don't feel either are important enough to block MIR: 1. There is no build-time or autopkgtest test cases, but this is a single simple script. 2. The Ubuntu devel version lags behind Debian but only by a single minor version. [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - no CVEs found - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does involve control of boot [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber - no translation present, but none needed for this case - not a python/go package, no extra constraints to consider int hat regard Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - d/watch not applicable, native package - Upstream update history is good - Debian/Ubuntu update history is good - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using - Not Go Package Problems: - the current release is not packaged in hirsute, but 1 minor version behind [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: u-boot-menu (Ubuntu) Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907284 Title: [MIR] u-boot-menu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/u-boot-menu/+bug/1907284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs