Comment 1 for bug 1906668

[Summary]
MIR Team nack until the unbundling of libfdt was checked and either done
or reasonably explained why it is undoable + a security ack on the exception
to do so.
Furthermore I'd strongly recommend to add an autopkgtest for it before we
promote it.

Report back here once those are resolved, to get an MIR-Ack and passing it
along to the security team then. Setting the state abck to invalid to reflect
that the action is on the reporter.

Notes:
- if it can't work against libfdt1 from the archive we will need security
  to consider if this is ok as a special case or a no-go.

Required TODOs:
- embedded libfdt is outdated and well, embedded. Please build and link
  against the libfdt1 / libfdt-dev that is in main.

Recommended TODOs:
- Self-tests are essentially non-existent. I'd be slightly scared of breakage
  even due to other components or by the toolchain used on build.
  Could we add a autopkgtest that uses this to boot a minimal riscv system?

[Duplication]
OK:
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no static linking in the usual sense. As outlined when filing the result
  are elf object without runtime dependencies to load on boot.
  The one problem in this is libfdt (see below)

Problems:
- embedded source present - libfdt
  This contains, builds and uses a contained libfdt
  This package exists in the archive and in main
   libfdt1 | 1.5.1-1 | focal
   libfdt1 | 1.6.0-1 | groovy
   libfdt1 | 1.6.0-1 | hirsute
  The bundled code is outdated (on 1.5.1 atm).
  Due to being a static link anyway - after a fix of src:device-tree-compiler
  that provided libfdt a rebuild of src:opensbi would be needed anyway.
  But we won't know if fixed are monitored the same way and/or applicable
  to the bundled code.
  The code itself is rather stable, no public API change since 1.2.
  Please try if this can build and (static) link with the in-distro
  libfdt. If we can't it is up to security to decide if that is ok or a problem
  that should be blocked on.

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- as outlined by the reporter this runs in the highes possible privilege
  mode. Combined with the issues around libfdt I'd recommend security having
  a look.

[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider int hat regard
- no new python2 dependency

Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
  Since Risc is emulated anyway this should work in autopkgtest. Could we
  carry a blob that could be test-booted in an autopkgtest please?

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks