pkg-perl-maintainers team mailing list archive

Thread
Date
[Bug 1951065] Re: [MIR] libio-prompt-tiny-perl

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Christian Ehrhardt  <1951065@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Jan 2022 11:41:59 -0000
Reply-to: Bug 1951065 <1951065@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Review for Package: libio-prompt-tiny-perl

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: libio-prompt-
tiny-perl

Required TODOs:
- Try if lintian could be switched to use libio-prompter-perl without causing
  more maintenance effort for that delta than what we gain by avoiding another
  pkg in main. Not worth a Delta, but maybe Debian is open to take that chance.
  If the outcome of that check is that maintaining libio-prompt-tiny-perl
  seems easier (not now, also in the long run) then state that and we can
  promote it.

Setting this to incomplete and back to Lukas until that check was done.

[Duplication]
There is the much more powerful and complex libio-prompt-perl, but that isn't
in main either, so no need to consider switching to it instead.

But there also is src:libio-prompter-perl which still does very much the same.
Comparing https://metacpan.org/dist/IO-Prompt-Tiny to
https://metacpan.org/pod/IO::Prompter indicates that the one already in main
is a superset to what is requested.

If this would be a complex package the answer would be easy, "Nack please
use the one already in main".
But on the other hand libio-prompt-tiny-perl really is small and tiny (to be
less capable and thereby less complex than the other prompt modules is the
main design point).
Chances are that maintaining a Delta is more effort than maintaining this
package on top. But if you could get the change into upstream/Debian lintian
then using libio-prompter-perl seems to be the better option.

I'll set a required todo to explore the option to switch lintian to it.
If it is feasible please do so, otherwise continue with this MIR.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does parse data formats, but not much

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream&Debian update history is ok, but too new to really judge
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (perl)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- use of setuid, but ok because <TBD> (prefer systemd to set those
  for services)
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None

** Changed in: libio-prompt-tiny-perl (Ubuntu)
       Status: Confirmed => Incomplete

** Changed in: libio-prompt-tiny-perl (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => Lukas Märdian (slyon)

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libio-prompt-tiny-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1951065

Title:
  [MIR] libio-prompt-tiny-perl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libio-prompt-tiny-perl/+bug/1951065/+subscriptions
References

[Bug 1951065] [NEW] [MIR] libio-prompt-tiny-perl
From: Lukas Märdian, 2021-11-16