[Summary]
ACK from MIR team based on review below.
This does need a security review, so I'll assign ubuntu-security
[Duplication]
OK:
There is no other package in main providing the same functionality.
[Dependencies]
OK:
no other Dependencies to MIR due to this
no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
no embedded source present
no static linking
[Security]
OK:
history of CVEs does not look concerning (no CVEs found)
does not run a daemon as root
does not use webkit1,2
does not use lib*v8 directly
does not parse data formats
- note: it does interact with nvme devices using the NVMe specification api
does not open a port
does not process arbitrary web content
does not use centralized online accounts
does not integrate arbitrary javascript into the desktop
does not deal with system authentication (eg, pam), etc)
[Common blockers]
OK:
does not FTBFS currently
The package has a team bug subscriber (ubuntu foundations)
no translation present, but only minimal user interaction; is mostly a pure
technical interface
not a python/go package, no extra constraints to consider int hat regard
no new python2 dependency
not go package
Problems:
does have a test suite, but not run at build time
does not have a test suite that runs as autopkgtest
*however*, above 2 problems are due to tests requiring system with nvme drive
[Packaging red flags]
OK:
Ubuntu does not carry a delta
symbols tracking not applicable for this kind of code (no shared lib)
d/watch is present and looks ok
Upstream update history is good
Debian/Ubuntu update history is good
the current release is packaged
promoting this does not seem to cause issues for MOTUs (no ubuntu delta)
d/rules is rather clean
Does not have Built-Using
not Go Package
Problems:
no massive Lintian warnings, but groovy package does use debhelper compat 9
[Upstream red flags]
OK:
no significant errors/warnings during the build
no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
no use of user nobody
no use of setuid
no important open bugs (crashers, etc) in Debian or Ubuntu
no dependency on webkit, qtwebkit, seed or libgoa-*
no embedded source copies
not part of the UI for extra checks
Problems:
use of malloc/sprintf:
- there are many uses of malloc and sprintf, which mostly seems "ok"
- however, since the use is only by the nvme stand-alone program,
any failure would only affect use of that specific program;
there is no library or daemon provided by the package
- the security team may want to review malloc/sprintf use in more detail
** Changed in: nvme-cli (Ubuntu)
Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889688
Title:
[MIR] nvme-cli
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvme-cli/+bug/1889688/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
