pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1907422] Re: [MIR] needrestart + dependencies

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Christian Ehrhardt  <1907422@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Feb 2021 14:21:39 -0000
Reply-to: Bug 1907422 <1907422@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Summary]
MIR Ack once the subscription is added (incomplete until then, as we have not
yet defined the process to have the AAs check this and I don't want to create
a trap for them)
This does not need a security review.

List of specific binary packages to be promoted to main: libmodule-find-
perl

Required TODOs:
Get the Foundations Team subscribed to the package before promoting it to main.

[Duplication]
libmodule-reader-perl is similar to some extend, but not in main - so no
problem.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
A program can not open more/less modules due to this. Also the modules
that you'd usually directly open are of the same security level (e.g. who can
write to them) as those searched and loaded by this.
It is also not a lot of code and doesn't have too complex structures
to break/exploit things that were overlooked.
So I think this does not make it "more insecure" and does not need a security
review.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite will fail upon error.
- does have a test suite that runs as autopkgtest (the auto perl ones)
- no translation present, but none needed for this case
- not a python/go package, no extra constraints to consider in that regard

Problems:
- The package has a team bug subscriber

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is slow but given this tool is small that is ok
- Debian/Ubuntu update history is sporadic (based on slow upstream changes)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean (=the minimum)
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (perl)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

** Changed in: libmodule-find-perl (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => (unassigned)

** Changed in: libmodule-find-perl (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libmodule-scandeps-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1907422

Title:
  [MIR] needrestart + dependencies

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libintl-perl/+bug/1907422/+subscriptions

References

[Bug 1907422] [NEW] [MIR] needrestart + dependencies
From: Christian Ehrhardt , 2020-12-09