[Bug 1843229] Re: [MIR] libxml++2.6
FYI: team subscription issue resolved ~mir-team is now subscribed. Thanks everyone involved. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
** Changed in: libxml++2.6 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
Great - thanks Steve, per [1] that means this is "In Progress" and RAOF can push this to Eoan now. [1]: https://wiki.ubuntu.com/MIRTeam#Process_states ** Changed in: libxml++2.6 (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
I reviewed libxml++2.6 2.40.1-3 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. While libxml++2.6 is currently in universe, it used to main in Ubuntu 14.04 and 12.04. libxml++2.6 is a C++ wrapper for the libxml2 XML parser library. - No CVEs found in its history. - It Build-Depends as you'd imagine on libxml-dev and gobject/glibmm stuff - It has no pre/post inst scripts - It has no init scripts - It has no systemd units - It provides no dbus services - It does not include any executable binaries, setuid/setgid or otherwise. - It does not provide any sudo fragments - It does not add any udev rules - There are some small small amount of units tests that are run at build time. - There are no autopkgtests - It does not include any cron jobs - The build itself included bunch of deprecated function usage warnings - Packaging is lintian clean - No processes spawned Code is C++, that looks relatively clean, though I did not dig into it deeply, given that we had previously supported the package. Coverity discovered a couple of resource leaks, and some uncaught exceptions, but was mostly clean. Security team ACK for promoting libxml++2.6 to main. ** Changed in: libxml++2.6 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
Mir 1.4.0 (which triggered this MIR) was uploaded prior to Feature Freeze; I can submit an FFe for the MIR if necessary - it wasn't clear to me that promotions to main were subject to feature freeze. I'd like to get Mir 1.4.0 into 19.10. As I mentioned, if security review bandwidth is low then this could be accomplished by demoting the binary packages libmirwayland-dev and libmirwayland-bin to Universe. We could then re-promote them in 20.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
uploaded 10 days after feature freeze, and I don't see any FFe ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
Is this MIR targeted for 19.10 or 20.04? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
MIR ack under the condition of a security ack been given after their review. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
[Summary] - the package seems fine - please subscribe the desktop team for maintenance - yes, please get this up to v3.0 for 20.04 - 3.0 has a bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819562 - on that please add .symbols tracking - on that please drop the docs embedded jquery - plenty of deprecation warnings hopefully gone in 3.0 fixes LP: #1654458 - needs security review [Duplication] >From very far away "XML handling c++ library" there are a few candidates in >the archive. But none of them in main: - libtinyxml2-6a - libtinyxml2.6.2v5 - libxerces-c3.2 - libxmltooling8 - libxml++2.6-2v5 - libpugixml1v5 Also being a gnome lib [1] already means plenty of applications will use it. And by being a wrapper to libxml2 which is in main it is less re-coding than some alternatives. I think duplication is no issue for this MIR. [1]: https://developer.gnome.org/libxml++/stable/ [Embedded sources and static linking] OK: - there seem to be no embedded sources of other projects - no static linking - no go code [Security] OK: - no history of CVEs - no daemon as root - no webkit1,2 - no lib*v8 usage - does not open a port - does not processes arbitrary web content - does not use centralized online accounts - does not integrates arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) The only thing that applies is that: - it does parses data formats And that it does through passing it to the already maintained libxml2 [2]. I think passing potentially externally controlled XML means there should be a security review, but it seems to me this one might be small and fast. [2]: https://people.canonical.com/~ubuntu-security/cve/pkg/libxml2.html [Common blockers] OK: - builds fine atm - has and runs a test suite at build time - no python considerations needed - no translation (no user facing code) Needs: - desktop will need to be the bug subscriber [Packaging red flags] - no Ubuntu delta atm - d/watch exists - update history is somewhat slow (but upstream wasn't fast either) - not MOTU maintained - no massive Lintian warnings - debian/rules is small and clean - no golang vendoring Not too bad, but also not ok: - does have no .symbols tracking - the current release isn't packages (known todo) [Upstream red flags] - no (ignored) build errors - no incautious use of malloc/sprintf (that I'd see) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of User nobody - no use of setuid - no important bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no Embedded source copies ** Bug watch added: Debian Bug tracker #819562 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819562 ** Changed in: libxml++2.6 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
** Description changed: [Availability] Available in Ubuntu since forever [Rationale] This is now a dependency of a package Mir produces; specifically libmirwayland-bin (and, transitively, libmirwayland-dev). [Security] No CVEs found(!) Library only; ships no suid binaries or daemons. It's a wrapper around libxml2, so inherits any of those security bugs, but we already support libxml2 in main. [Quality assurance] No serious bugs open in either Ubuntu or Debian. [Dependencies] Only libc, libstc++, the glibmm C++ wrapper and libxml2; all in main [Standards compliance] Relatively up to date. No serious lintian warnings except for an embedded jquery (oops!). [Maintenance] Maintained by the GNOME team in Debian; it's a part of the GNOME platform. It's missing the latest series of releases (with a new ABI: 3.0); I shall update this for 20.04, but it shouldn't be necessary for Eoan. [Background information] - We needed a C++ XML parser for some Wayland work in Mir; there doesn't appear to be an existing C++ XML parser in main, and this is a GNOME-supported C++ wrapper around libxml2 found in main. + We needed a C++ XML parser for some Wayland work in Mir; there doesn't appear to be an existing C++ XML parser in main, and this is a GNOME-supported C++ wrapper around libxml2. + + If this MIR is at all controversial we *could* instead demote + libmirwayland-dev and libmirwayland-bin to Universe; they should only + ever be used as build dependencies. The Mir team does intend to support + libmirwayland-dev and libmirwayland-bin, though, and a C++ XML library + seems a reasonable thing to have in main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843229] Re: [MIR] libxml++2.6
** Description changed: [Availability] Available in Ubuntu since forever [Rationale] - This is now a dependency of a package Mir produces; specifically libmirwayland-bin (and, transitively, libmirwayland-dev). + This is now a dependency of a package Mir produces; specifically libmirwayland-bin (and, transitively, libmirwayland-dev). [Security] No CVEs found(!) Library only; ships no suid binaries or daemons. It's a wrapper around libxml2, so inherits any of those security bugs, but we already support libxml2 in main. [Quality assurance] No serious bugs open in either Ubuntu or Debian. [Dependencies] Only libc, libstc++, the glibmm C++ wrapper and libxml2; all in main [Standards compliance] - Relatively up to date. No serious lintian warnings. + Relatively up to date. No serious lintian warnings except for an embedded jquery (oops!). [Maintenance] - Maintained by the GNOME team in Debian; it's a part of the GNOME platform. It's missing the latest series of releases (3.0); I shall update this for 20.04, but it shouldn't be necessary for Eoan. + Maintained by the GNOME team in Debian; it's a part of the GNOME platform. It's missing the latest series of releases (with a new ABI: 3.0); I shall update this for 20.04, but it shouldn't be necessary for Eoan. [Background information] We needed a C++ XML parser for some Wayland work in Mir; there doesn't appear to be an existing C++ XML parser in main, and this is a GNOME-supported C++ wrapper around libxml2 found in main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
