[MIR] libmspack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libmspack (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Availability: libmspack is already be in Ubuntu universe and built for all architectures.
Rationale: Clamav has used an embedded copy of libmspack for some time. In the current release, the ability to use an external, system version has been added. This would be better. Effectively the code is in Main already via clamav. Moving the libmspack package to Main is a better, more maintainable way to have it there. This is also used in LibreOffice, so having the system version in Main should help there too.
Security: The security history and the current state of security issues in the package must allow us to support the package for at least 9 months (60 for LTS support) without exposing its users to an inappropriate level of security risks. This requires checking of several things that are explained in detail in the subsection Security checks.
Quality assurance: Package is a library that needs no configuration and asks no questions. There are no open bugs in Debian or Ubuntu. Upstream seems quiescent, but not dead. There do not appear to be any long term issues that would impact supportability.
There are no open bugs in Ubuntu or Debian, but I couldn't find an upstream bug tracker:
https:/
https:/
The package is well done and meets standard MIR requirements such a symbols file, watch file, etc.
The package does not deal with exotic hardware.
UI standards: N/A
Dependencies: All depends/build-dep are in Main
Standards compliance/
Background information: See above. Already in Main due to embedding in clamav and other packages.
Security checks
Check how many vulnerabilities the package had in the past and how they were handled by upstream and the Debian/Ubuntu package:
http://
http://
Ubuntu CVE Tracker: Nothing listed.
Security relevant binaries: This is a package that unpacks various formats of often untrusted data (particularly in the clamav use) so it's inherently security sensitive to a degree.
Changed in libmspack (Ubuntu): | |
importance: | Undecided → Medium |
This looks fine to me. ScottK assures me that the embedded copy is the same version, so this is really just shuffling code around to make it less opaque and more maintainable. Would be good if we could eliminate other embedded copies in the same pass, but getting more consumers for the library shouldn't block the MIR for clamav's sake. ACKing and promoting.