I reviewed marisa 0.2.6-3~exp2ubuntu2 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
marisa is a trie-based datastructure. There's both a library package and command line interfaces as well as bindings for ruby, python, and perl. - CVE History: - None in our database - Build-Depends? - chrpath, debhelper-compat, dh-python, perl, pkg-kde-tools, python3-all-dev, ruby, ruby-dev, swig - pre/post inst/rm scripts? - automatically-added python stuff - init scripts? - None - systemd units? - None - dbus services? - None - setuid binaries? - None - binaries in PATH? -rwxr-xr-x root/root ./usr/bin/marisa-benchmark -rwxr-xr-x root/root ./usr/bin/marisa-build -rwxr-xr-x root/root ./usr/bin/marisa-common-prefix-search -rwxr-xr-x root/root ./usr/bin/marisa-dump -rwxr-xr-x root/root ./usr/bin/marisa-lookup -rwxr-xr-x root/root ./usr/bin/marisa-predictive-search -rwxr-xr-x root/root ./usr/bin/marisa-reverse-lookup - sudo fragments? - None - polkit files? - None - udev rules? - None - unit tests / autopkgtests? - Pretty extensive; debian/tests/ runs some simple bindings tests, too - cron jobs? - None - Build logs: - Some deprecation warnings in Ruby bindings, not too bad - Processes spawned? - None - Memory management? - Manual-style C++ memory management; it looked good - File IO? - File paths provided by clients; coverity reported a race condition between a stat and mmap call, minor issue - Logging? - None - Environment variable usage? - None - Use of privileged functions? - None - Use of cryptography / random number sources etc? - None - Use of temp files? - None - Use of networking? - None - Use of WebKit? - None - Use of PolicyKit? - None - Any significant cppcheck results? - two false positives, nothing else - Any significant Coverity results? - many false positives, one TOCTTOU bug, minor - Any significant shellcheck results? - only results are in debian's tests - Any significant bandit results? - None The actual trie portion of marisa is pretty involved. We will need to rely on upstream for support of the computational pieces. The interoperation portions of marisa are fairly straightforward older-style C++. This looked fine. Security team ACK for promoting marisa to main. ** Changed in: marisa (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: marisa (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1914808 Title: [MIR] marisa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/marisa/+bug/1914808/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs