** Description changed:
- [Summary]
- TODO: WRITE - The essence of the review result from the MIR POV
- TODO: This does need a security review, so I'll assign ubuntu-security
- TODO: List of specific binary packages to be promoted to main: <TODO>
+ [Availability]
+ libmd has been on Universe since Xenial and builds on all supported archs.
Hirsute currently has 1.0.3-3.
- Notes:
- TODO: - add todos, issues or special cases to discuss
- Required TODOs:
- TODO - TBD
- Recommended TODOs:
- TODO - TBD
+ [Rationale]
+ libbsb has a new dependency on libmd since 0.11.1-1 (0.10 or earlier didn't)
+ - libbsd0 depends on libmd0
+ - libbsd build-depends on libmd-dev
- [Duplication]
- TODO: There is no other package in main providing the same functionality.
+
+ [Security]
+ - found no CVEs related to libmd on Mitre, Openwall, and Ubuntu CVE tracker
(main, universe, and tracker).
+ - no suid binaries on libmd0
+ - package provides no service files
+ - package does not require network (no open ports)
+
+
+ [Quality assurance]
+ - libmd0 1.0.3-3 depends only on libc6 (ie. no weird deps)
+ - libmd 1.0.3-3 build depends only on debhelper-compat
+ - no bug has ever been logged for libmd in both launchpad[1] and debian[2]
+ - homepage lists no upstream bug tracker [3]
+ - upstream maintainer is Guillem Jover
+ - package ships with a testsuite
+ - testsuite does not need network nor weird hardware
+ - testsuite is run during build
+ - has autopkgtests [4]
+ - autopkgtest fails on i386 (not a blocker)
+ - autopkgtest succeeded on amd64, ppc64el, s390x
+ - package has a debian/watch file
+ - 'lintian --pedantic' indicates no packaging issues
+
[Dependencies]
- OK:
- TODO - no other Dependencies to MIR due to this
- TODO (use tools: check-mir, seeded-in-ubuntu, reverse-depends)
- TODO - no -dev/-debug/-doc packages that need exclusion
+ - libmd0 1.0.3-3 depends: libc6
+ - libmd 1.0.3-3 build-depends: debhelper-compat
- TODO: Problems:
- [Embedded sources and static linking]
- OK:
- TODO: - no embedded source present
- TODO: - no static linking
+ [Standards compliance]
+ Package meets Debian Policy 4.5.1 (latest as of 2021-02-09).
+ Package meets FHS.
- TODO: Problems:
+ [Maintenance]
+ Package is small and well maintained in Debian by it's upstream main
developer (Guillem Jover).
- [Security]
- OK:
- TODO: - history of CVEs does not look concerning
- TODO: - does not run a daemon as root
- TODO: - does not use webkit1,2
- TODO: - does not use lib*v8 directly
- TODO: - does not parse data formats
- TODO: - does not open a port
- TODO: - does not process arbitrary web content
- TODO: - does not use centralized online accounts
- TODO: - does not integrate arbitrary javascript into the desktop
- TODO: - does not deal with system authentication (eg, pam), etc)
- TODO: Problems:
+ [Background information]
+ Package description is correct and succint:
+ 'The libmd library provides various
+ message digest ("hash") functions,
+ as found on various BSDs on a
+ library with the same name and with a
+ compatible API.'
- [Common blockers]
- OK:
- TODO: - does not FTBFS currently
- TODO: - does have a test suite that runs at build time
- TODO: - test suite fails will fail the build upon error.
- TODO: - does have a test suite that runs as autopkgtest
- TODO: - The package has a team bug subscriber
- TODO: - no translation present, but none needed for this case (user visible)?
- TODO: - not a python/go package, no extra constraints to consider int hat
regard
- TODO: - no new python2 dependency
- TODO: - Python package that is using dh_python
- TODO: - Go package that uses dh-golang
- TODO: Problems:
+ [References]
- [Packaging red flags]
- OK:
- TODO: - Ubuntu does not carry a delta
- TODO: - Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- TODO: - symbols tracking is in place
- TODO: - symbols tracking not applicable for this kind of code.
- TODO: - d/watch is present and looks ok
- TODO: - Upstream update history is (good/slow/sporadic)
- TODO: - Debian/Ubuntu update history is (good/slow/sporadic)
- TODO: - the current release is packaged
- TODO: - promoting this does not seem to cause issues for MOTUs that so far
- TODO: maintained the package
- TODO: - no massive Lintian warnings
- TODO: - d/rules is rather clean
- TODO: - Does not have Built-Using
- TODO: - Go Package that follows the Debian Go packaging guidelines
- TODO: (see https://go-team.pages.debian.net/packaging.html)
+ [1]
+
https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field
+ .status_upstream-empty-marker=1
- TODO: Problems:
-
- [Upstream red flags]
- OK:
- TODO: - no Errors/warnings during the build
- TODO: - no incautious use of malloc/sprintf (as far as I can check it)
- TODO: - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- TODO: - no use of user nobody
- TODO: - no use of setuid
- TODO: - no important open bugs (crashers, etc) in Debian or Ubuntu
- TODO: - no dependency on webkit, qtwebkit, seed or libgoa-*
- TODO: - not part of the UI for extra checks
-
- TODO: Problems:
+ [2] https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=libmd
+ [3] https://www.hadrons.org/software/libmd/
+ [4] https://autopkgtest.ubuntu.com/packages/libmd
** Description changed:
[Availability]
libmd has been on Universe since Xenial and builds on all supported archs.
Hirsute currently has 1.0.3-3.
[Rationale]
libbsb has a new dependency on libmd since 0.11.1-1 (0.10 or earlier didn't)
- libbsd0 depends on libmd0
- libbsd build-depends on libmd-dev
-
[Security]
- found no CVEs related to libmd on Mitre, Openwall, and Ubuntu CVE tracker
(main, universe, and tracker).
- no suid binaries on libmd0
- package provides no service files
- package does not require network (no open ports)
-
[Quality assurance]
- libmd0 1.0.3-3 depends only on libc6 (ie. no weird deps)
- libmd 1.0.3-3 build depends only on debhelper-compat
- no bug has ever been logged for libmd in both launchpad[1] and debian[2]
- homepage lists no upstream bug tracker [3]
- upstream maintainer is Guillem Jover
- package ships with a testsuite
- testsuite does not need network nor weird hardware
- testsuite is run during build
- has autopkgtests [4]
- autopkgtest fails on i386 (not a blocker)
- autopkgtest succeeded on amd64, ppc64el, s390x
- package has a debian/watch file
- 'lintian --pedantic' indicates no packaging issues
-
[Dependencies]
- libmd0 1.0.3-3 depends: libc6
- libmd 1.0.3-3 build-depends: debhelper-compat
-
[Standards compliance]
Package meets Debian Policy 4.5.1 (latest as of 2021-02-09).
Package meets FHS.
[Maintenance]
Package is small and well maintained in Debian by it's upstream main
developer (Guillem Jover).
-
[Background information]
Package description is correct and succint:
'The libmd library provides various
- message digest ("hash") functions,
- as found on various BSDs on a
- library with the same name and with a
- compatible API.'
-
+ message digest ("hash") functions,
+ as found on various BSDs on a
+ library with the same name and with a
+ compatible API.'
[References]
-
- [1]
-
https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field
- .status_upstream-empty-marker=1
+ [1]
https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field.status_upstream-empty-marker=1
[2] https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=libmd
[3] https://www.hadrons.org/software/libmd/
[4] https://autopkgtest.ubuntu.com/packages/libmd
+
+ [tdaitx 2021-02-09]
+ I confirm that I checked the above requirements carefully.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915009
Title:
[MIR] libmd (dependency of libbsd)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libmd/+bug/1915009/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
