[Bug 1820192] Re: [MIR] flufl.i18n as dependency of mailman3

2019-07-02 Thread Christian Ehrhardt  
After evaluating dependencies, required further changes and mostly
maintainability for security and packaging it was decided there are too
many concerns - not about any single package in particular, but the
overall Mailman3 stack - about the ability to maintain and monitor it as
well as we need it for support in main.

We have closed the primary LP bug already, the MIRs that are already approved - 
like this one - will stay that way, but we will make no seed change to pull 
things in for now. Yet if other needs come up for those they have a prepared 
MIR already.
Other bugs which are not yet completed in terms of review will be closed as 
Won't Fix.

Even thou it ended being aborted, I think that is a valid outcome of the
MIR evaluations. Never the less I want to thank everybody involved for
all the work spent in what was nearly a year working through these MIRs.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820192

Title:
  [MIR] flufl.i18n as dependency of mailman3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flufl.i18n/+bug/1820192/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820192] Re: [MIR] flufl.i18n as dependency of mailman3

2019-03-19 Thread Christian Ehrhardt  
[Duplication]
No duplication for this functionality in main at the moment.

There is flask.babel and elib.intl but they are universe as well.
Furthermore there is zope.i18nmessageid which is part of the same
mailman3 related overall MIR activity - but that provides a
different set of functions that are not really interchangable.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication
- processes arbitrary web content
- parse data formats
=> Therefore IMHO there is no security review needed for this.

[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilizes (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder

[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above it will not need a security review.


** Changed in: flufl.i18n (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820192

Title:
  [MIR] flufl.i18n as dependency of mailman3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flufl.i18n/+bug/1820192/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs