[Summary]
This does need a security review, so I'll assign ubuntu-security
Notes/TODOs:
Can someone please tell me how to check the Built-Using information?
Can someone please suggest to me the list of binaries to promote?
[Duplication]
There are many packages in the archive to read ini files. Only
libini-config5 is in C/C++ and in main. The documentation for the
container interface is several times larger than the libinih codebase:
it's a different scale of tool entirely. I'm satisfied this is a suitable
choice to promote to main.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
Problems:
- no -dev/-debug/-doc packages that need exclusion
there's another C++ version included in this package, libinireader0,
that might be worth excluding if it is not specifically needed
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (e.g. pam), etc
Problems:
- Parses a data format, ini files
[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- does have a test suite that runs at build time
- does have a test suite that runs as autopkgtest
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency
Problems:
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
Problems:
- the current release is not packaged
- not using Built-Using -- I odn't know how to find this
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
Problems:
** Changed in: libinih (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883890
Title:
[MIR] libinih
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libinih/+bug/1883890/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
