pkg-perl-maintainers team mailing list archive

[Didier Roche <1907422@xxxxxxxxxxxxxxxxxx>]

[Summary]
We need to assess the situation of package updates. We are several releases behind (5 years behind) and have some CVE as distro-patch as a consequence. Some DD just took it over in January it seems, but didn’t update to current releases.

List of specific binary packages to be promoted to main: libintl-perllib
libintl-xs-perl

Required TODOs:
- Assess the package update situation and health of the debian team responsible for it.

[Duplication]
Other perls modules deals with i18n, but it seems none give the same gettext functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (perlapi-5.32.1 is a virtual package provided by perl-base)
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)


[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite will fail upon error.
- does have a test suite that runs as autopkgtest
- no translation present, but none needed for this case
- not a python/go package, no extra constraints to consider in that regard

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- no symbols tracking for this kind of libs
- d/watch is present and looks ok
- Upstream update history is good
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean (=the minimum)
- Does not have Built-Using

Problems:
- Debian/Ubuntu update history is not good: we are several release behind (1.26 released in 2016 and curent is 1.32), some CVS has been distro-patched due to this.
- the current release is not packaged and lagging behind (the version


[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (perl)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

** Changed in: libintl-perl (Ubuntu)
     Assignee: Didier Roche (didrocks) => (unassigned)

** Changed in: libintl-perl (Ubuntu)
       Status: New => Incomplete

** Changed in: libintl-perl (Ubuntu)
     Assignee: (unassigned) => Christian Ehrhardt  (paelzer)

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libmodule-scandeps-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1907422

Title:
  [MIR] needrestart + dependencies

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libintl-perl/+bug/1907422/+subscriptions