I reviewed qtserialport-opensource-src version 5.2.1-1 as checked into trusty. This should not be considered a full security audit but rather a quick gauge of maintainability.
- This package provides Qt bindings for using serial ports - Build-Depends: debhelper, libudev-dev, pkg-kde-tools, qtbase5-dev, libqt5sql5-sqlite, qttools5-dev-tools - Does not use cryptography - Does not use networking - Does not daemonize - postinst and postrm simply run ldconfig - No initscripts - No dbus services - No setuid executables - No sudo fragments - No udev rules - No cron jobs - No test suite - Build logs pretty clean, most warnings are documentation issues - Spawned subprocesses used to keep executables small and run from libraries instead; no explicit argument handling - Memory management looked careful - File IO is restricted to serial devices and lock files - Logging looked careful - No environment variables - No privileged portions of code - No cryptography - No networking - No temporary files, though lock files may be stored in /tmp as a last resort - No WebKit - No Javascript - No polkit - Clean cppcheck This code looked like usual-enough higher-level wrappers around an older and somewhat crufty interface. Not all features are implemented which might be surprising, but not really a security issue. Security team ACK for promoting qtserialport-opensource-src to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1301108 Title: [MIR] pyqt5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pyqt5/+bug/1301108/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
