Comment 4 for bug 1953341

Review for Package: pcs

[Summary]
The package does not have any issues apart from having many dependencies
that need to be pulled into main and needing a sec review.
I noticed that there are 2 depencies (ruby-open4 and python3-pyagentx) reported
by check-mir that are not in the long list of depencencies and there's no
MIR bug filed for those.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: pcs
Specific binary packages built, but NOT to be promoted to main: pcs-snmp

Notes:
Required TODOs:
1. There are 2 packages that need MIR (not yet in the known long list of dependencies):
   - ruby-open4 https://bugs.launchpad.net/ubuntu/+source/ruby-open4
   - python3-pyagentx https://launchpad.net/ubuntu/+source/pyagentx

2. The long list of ruby* packages that MIR review is in process :
- python3-dacite
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/dacite/+bug/1989628
- python3-tornado
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/python-tornado/+bug/1990191
- ruby-backports
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-backports/+bug/1990565
- ruby-ethon
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-ethon/+bug/1990571
  + ruby-ffi
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-ffi/+bug/1990570
  + ruby-mime-types
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-mime-types/+bug/1990569
    * ruby-mime-types-data
      - MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-mime-types-data/+bug/1990568
- ruby-json
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug/1990572
  + ruby-childprocess
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-childprocess/+bug/1991839
- ruby-sinatra
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-sinatra/+bug/1990579
  + ruby-rack
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/1990575
  + ruby-rack-protection (provided by src:ruby-sinatra)
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-sinatra/+bug/1990579
  + ruby-mustermann
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-mustermann/+bug/1990574
    * ruby-ruby2-keywords
      - MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-ruby2-keywords/+bug/1990573
  + ruby-tilt
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-tilt/+bug/1990576
- thin
  + MIR bug: https://bugs.launchpad.net/ubuntu/+source/thin/+bug/1990582
  + ruby-daemons
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-daemons/+bug/1990581
  + ruby-eventmachine
    * MIR bug: https://bugs.launchpad.net/ubuntu/+source/ruby-eventmachine/+bug/1990580

3. The package should get a team bug subscriber before being promoted

[Duplication]
There is the crmsh package already in universe providing the same functionality.
However, the [Rational] section justifies pcs to be promoted to main.

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- other Dpendencies to MIR due to this

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- history of CVEs does not look concerning but noticed these 2 CVEs that need triage :
  - https://ubuntu.com/security/CVE-2022-2735
  - https://ubuntu.com/security/CVE-2022-1049
- does run a daemon as root
- does deal with system authentication (eg, pam), etc)
- does open a port/socket
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency
- Python package, but using dh_python

Problems: None

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- the current release is packaged
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case

Problems: None