Ubuntu
libinih package

Bug #1883890
Comment #1

Comment 1 for bug 1883890

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2020-08-29:

[Summary]
This does need a security review, so I'll assign ubuntu-security

Notes/TODOs:
Can someone please tell me how to check the Built-Using information?
Can someone please suggest to me the list of binaries to promote?

[Duplication]
There are many packages in the archive to read ini files. Only
libini-config5 is in C/C++ and in main. The documentation for the
container interface is several times larger than the libinih codebase:
it's a different scale of tool entirely. I'm satisfied this is a suitable
choice to promote to main.

[Dependencies]
OK:
- no other Dependencies to MIR due to this

Problems:
- no -dev/-debug/-doc packages that need exclusion
there's another C++ version included in this package, libinireader0,
that might be worth excluding if it is not specifically needed

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (e.g. pam), etc

Problems:
- Parses a data format, ini files

[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (user visible)?
- does have a test suite that runs at build time
- does have a test suite that runs as autopkgtest
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency

Problems:

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean

Problems:
- the current release is not packaged
- not using Built-Using -- I odn't know how to find this

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks

Problems:

[Summary]
This does need a security review, so I'll assign ubuntu-security

Notes/TODOs:
Can someone please tell me how to check the Built-Using information?
Can someone please suggest to me the list of binaries to promote?

[Dependencies]
OK:
- no other Dependencies to MIR due to this

Problems:
- no -dev/-debug/-doc packages that need exclusion
  there's another C++ version included in this package, libinireader0,
  that might be worth excluding if it is not specifically needed

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

Problems:
- Parses a data format, ini files

Problems:

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean

Problems:
- the current release is not packaged
- not using Built-Using -- I odn't know how to find this

Problems:

Ubuntulibinih package

Comment 1 for bug 1883890

Ubuntu
libinih package