pkg-perl-maintainers team mailing list archive

Thread
Date
[Bug 2030880] Re: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Lukas Märdian <2030880@xxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Aug 2023 12:44:41 -0000
Reply-to: Bug 2030880 <2030880@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Review for Source Package: libemail-mime-perl

[Summary]
A Perl module for parsing MIME messages.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: libemail-mime-perl
Specific binary packages built, but NOT to be promoted to main: None

Notes:
#0 This is a MIME parser, which could also deal with de-/encryption in a secure email context, I'm therefore requesting security review.

Required TODOs:
#1 other Dependencies to MIR due to this
 * bug #2030956, libemail-messageid-perl binary and source package is in universe
 * bug #2030962 (done), libemail-mime-contenttype-perl binary and source package is in universe
 * bug #2031487 (done), libemail-mime-encodings-perl binary and source package is in universe
 * bug #2031491 (pending), libemail-simple-perl binary and source package is in universe
#2 Potential duplicates in "main":  libmime-lite-perl &  libmime-tools-perl
=> Could you please differentiate those from this package, or consider if they could be used instead?
#3 Thanks for your analysis of this bug report, can you please clarify the verdict (is it fixed)? Please try to reproduce this or check back with the maintainer(s).
=> https://bugs.debian.org/960062 "DoS on excessive or deeply nested parts"
=> https://github.com/rjbs/Email-MIME/issues/66

Recommended TODOs:
#4 The package should get a team bug subscriber before being promoted

[Duplication]
Here are some potential duplicates, two of them in "main" already. Could you please differentiate those from this package, or consider if they could be used instead?

$ rmadison -c main -s mantic {libmime-lite-perl,libmime-tools-perl,libmime-explode-perl}
 libmime-lite-perl  | 3.033-1 | mantic | source, all
 libmime-tools-perl | 5.510-3 | mantic | source, all

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- other Dependencies to MIR due to this
 * bug #2030956, libemail-messageid-perl binary and source package is in universe
 * bug #2030962 (done), libemail-mime-contenttype-perl binary and source package is in universe
 * bug #2031487 (done), libemail-mime-encodings-perl binary and source package is in universe
 * bug #2031491 (pending), libemail-simple-perl binary and source package is in universe

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- parses data formats (MIME) from an untrusted source.
- Could deal with cryptography (en-/decryption secure emails)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Not a Python package
- Not a Go package

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is sporadic
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid / setgid
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems:
- important open bugs (crashers, etc) in Debian
=> https://bugs.debian.org/960062 "DoS on excessive or deeply nested parts"
=> https://github.com/rjbs/Email-MIME/issues/66

** Bug watch added: Debian Bug tracker #960062
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960062

** Bug watch added: github.com/rjbs/Email-MIME/issues #66
   https://github.com/rjbs/Email-MIME/issues/66

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libemail-mime-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2030880

Title:
  [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880/+subscriptions