This is a special case, as we have the newer versions already in main in Bionic. Therefore the evaluation checks if the older version has CVEs, packaging issues and such - but is no full re-evaluation.
[Duplication] No duplication, this is the python entrypoint for macaroons handling [Embedded sources and static linking] - no embedded sources - no static linking - no golang [Security] This is one of the biggest parts of the re-check as we need to ensure that the older version has no known or unmaintainable deficiencies But it seems fine - no existing CVEs associated. It still is security sensitive, as it's purpose is to handle tokens that entitle users of a given feature. Therefore I'd want an ack by the ubuntu-security team - which given it is a re-review should go fast as well. [Common blockers] - builds fine in Xenial last time, I asked for a rebuild to prove that also trusty will be fine - no tests at build time, but then this is only re-evaluating and the version in Bionic has not more - the maas team is already subscribed to the package - no user visible output that needs translation - only python3 dependencies are used (but then for Xenial/Trusty this wouldn't even be important) - dh_python is in use [Packaging red flags] - no ubunut Delta (the ubuntu1 comes by being a backport alrady) - python library, no symbols management needed - debian/watch present - updates were ok so far (it isn't moving too fast thou) - no massive Lintian warnings - very clean d/rules (almost only dh @) [Upstream red flags] - no build errors on the Xenial version that will be added to main - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no open bugs - no dependency on webkit, qtwebkit, seed or libgoa-* Note on the Versions: This will use the version 0.9.2 in Xenial for X&T, I checked the git log of https://github.com/ecordell/pymacaroons.git Obviously there are fixes/improvments, but no blockers and nothing that would right now outweight the SRU risk pushing the newer version. The only relevant seems "verification for nested third party caveats" which ua-tools triggering this MIR needs to check if they can live with it. I discussed this already and tests with the version in Xenial as-is are good. Security already monitors this and there are no major changes in place - therefore no security re-check needed. Version differences of 0.9.2-0ubuntu1 in Xenial (and eventually Trusty) instead of the 0.13.0-1 that is in main are not too big as the package is mostly a wrapper for NaCl/Sodium functionality. [Summary] As expected - since the newer versions are already in main - this wasn't too critical. After comparing the differences of the version in main in bionic to what shall be promoted in Xenial/Trusty there were no blockers identified. TODOs: @Chad - since this wasn't built a long time in Xenial and never before in Trusty. Could you please provide a PPA that builds the set of three packages in both Releases? Assigned to Chad until PPAs are provided - once builds are shown to be good on X&T this can be approved. ** Changed in: pymacaroons (Ubuntu Trusty) Assignee: Christian Ehrhardt (paelzer) => Chad Smith (chad.smith) ** Changed in: pymacaroons (Ubuntu Xenial) Assignee: Christian Ehrhardt (paelzer) => Chad Smith (chad.smith) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746772 Title: [MIR] pymacaroons, python-libnacl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pymacaroons/+bug/1746772/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
