[MIR] libinih
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libinih (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
* Availability
Built for all supported architectures. In sync with Debian.
https:/
* Rationale
It's a depends from gamemode which currently bundles a copy version
* Security
No known security issues
https:/
https:/
https:/
* Quality assurance
- The desktop-packages team is subscribed
- No report downstream, one upstream only and it's from today
https:/
https:/
https:/
The unittests are run as an autopkgtest
http://
* Dependencies
It Depends only on libc6
* Standards compliance
Use current Standards-Version and dh13
* Maintenance
The Debian maintainer is active, the package is in sync, the Desktop Team is subscribed in Ubuntu
| Changed in libinih (Ubuntu): | |
| assignee: | nobody → Seth Arnold (seth-arnold) |
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in libinih (Ubuntu): | |
| assignee: | Seth Arnold (seth-arnold) → Ubuntu Security Team (ubuntu-security) |
| Seth Arnold (seth-arnold) wrote | #2 |
| Changed in libinih (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Sebastien Bacher (seb128) wrote | #3 |
| Didier Roche-Tolomelli (didrocks) wrote | #4 |
| Changed in libinih (Ubuntu): | |
| status: | New → Fix Committed |
| Didier Roche-Tolomelli (didrocks) wrote | #5 |
| Changed in libinih (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Matthias Klose (doko) wrote | #6 |
[Summary]
This does need a security review, so I'll assign ubuntu-security
Notes/TODOs:
Can someone please tell me how to check the Built-Using information?
Can someone please suggest to me the list of binaries to promote?
[Duplication]
There are many packages in the archive to read ini files. Only
libini-config5 is in C/C++ and in main. The documentation for the
container interface is several times larger than the libinih codebase:
it's a different scale of tool entirely. I'm satisfied this is a suitable
choice to promote to main.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
Problems:
- no -dev/-debug/-doc packages that need exclusion
there's another C++ version included in this package, libinireader0,
that might be worth excluding if it is not specifically needed
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (e.g. pam), etc
Problems:
- Parses a data format, ini files
[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- does have a test suite that runs at build time
- does have a test suite that runs as autopkgtest
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency
Problems:
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
Problems:
- the current release is not packaged
- not using Built-Using -- I odn't know how to find this
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
Problems: