Ubuntu
libmaxminddb package

Bug #1861101
Comment #27

Comment 27 for bug 1861101

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-03-18:

#27

[Summary]
MIR team Ack, a very small and clean python lib.
But this one has a few todos we need to resolve before/after promotion:

TODO ASAP:
- For 20.04 we really should consider going ahead to the much newer 1.5.2
  => https://github.com/maxmind/MaxMind-DB-Reader-python/releases
  @andreas will you take a look at this, just as you did with the other
  related package that was slightly outdated?
- ask Josh to subscribe server-team to this pkg as well

TODO long-term:
- I'd wonder if we can get a security review (on all of these) in the long
  run but not gating the MIR for now - details below?
- Debian updates a bit slowly, we might need to do the monitoring and
  updating on this one - @Andreas is that ok for you to do that
  along e.g. bind9 merges?

[Duplication]
While python3-geoip2 was for the API this package python-maxminddb is a
python interface for reading the MaxMind DB. I don't see a package in
main doing that already. No duplication issue.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- doc depends only on libjs-sphinxdoc which is in main already

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

- does parse data formats
  There are two ways it can operate. It can either do the processing in its
  python code or has a C extension - but that extension only is a shim to pass
  to the libmaxminddb0 code.
  That way - as with the other packages in this context it does fairly minimal
  things and has despite its age no CVE history at all.

I have revisited the parsing in all the packages int his MIR, I still think
it is fairly minimal and does not need a "gating security review".
But on the long run - once the 20.04 dust settles - it might be good to have
one eventually. @Andreas could you after resolving this ask security if they
could do an informal security review on the packages in this MIR?

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
seem good enough for this package
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency
- Python package that is using dh_python

Problem:
- does not have a test suite that runs as autopkgtest, but the build time
tests (171) seem enough for this Packages content

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is not too bad but is slightly outdated
we might need to work on it along bind9 merges
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Problem:
- the current release is not packaged
There is a 1.5.2 which outdates our 1.4.1 by 1.5years. This should be updates
before we ship it in an LTS.

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (mostly python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks

Assigning to Andreas for the version update (which will also need an FFe bug along)

[Summary]
MIR team Ack, a very small and clean python lib.
But this one has a few todos we need to resolve before/after promotion:

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
  - doc depends only on libjs-sphinxdoc which is in main already

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
  seem good enough for this package
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- no new python2 dependency
- Python package that is using dh_python

Problem:
- does not have a test suite that runs as autopkgtest, but the build time
  tests (171) seem enough for this Packages content

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is not too bad but is slightly outdated
  we might need to work on it along bind9 merges
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Problem:
- the current release is not packaged
  There is a 1.5.2 which outdates our 1.4.1 by 1.5years. This should be updates
  before we ship it in an LTS.

Assigning to Andreas for the version update (which will also need an FFe bug along)

Ubuntulibmaxminddb package

Comment 27 for bug 1861101

Ubuntu
libmaxminddb package