FYI: Demand might arise due to libopcodes (the so far used alternative) being relicenced to GPL3 and not being usable by qemu. That will make newer Instructions and Architectures have a problem over time (as it bit-rots).
See the mail enabling it in qemu [1] for details and some background. But for now things are ok'ish. I'd mostly expect that down the road it might be requested by s390x/PPC or for newer vector instructions Intel (more likely than by actual community/users IMHO) to make the switch. [1]: https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg03915.html ** Description changed: INFO: I think this will be a MIR nack, but I wanted to file it to document why. TL;DR: we need two things that need to change to go on with this: - prove there is a real need for this - a team has to step up wanting to own this package --- Availability: The package is in Universe at least since Xenial Rationale: IMHO currently there is a rather low interest in this. It came in by qemu in Debian now enabling it, but we never had anybody ask for extended disassembly support so I'd think at least for now it might be not a huge demand. Security: The security history and the current state of security issues in the package must allow us to support the package for at least 9 months (60 for LTS support) without exposing its users to an inappropriate level of security risks. This requires checking of several things that are explained in detail in the subsection Security checks. Quality assurance: - the package seems to work for the use cases it has so far - no weird packaging hacks in place The package is maintained well in Debian/Ubuntu (check out the Debian PTS) - no bugs in Ubuntu - only a "get the new Version" bug in Debian + - had one CVE in the past (CVE-2017-6952) but was fixed rather fast UI standards: - this has a console based UI in regard to show the disassembly - not internationalized Standards compliance: - seems to be ok for FHS and Debian Policy standards Maintenance: - Due to the low demand nobody stepped up wanting to own the package for Main Background information: - the self set target is no less than "Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community." - It might be useful for debug/analysis of guests ** Description changed: INFO: I think this will be a MIR nack, but I wanted to file it to document why. TL;DR: we need two things that need to change to go on with this: - prove there is a real need for this - a team has to step up wanting to own this package --- Availability: The package is in Universe at least since Xenial Rationale: IMHO currently there is a rather low interest in this. It came in by qemu in Debian now enabling it, but we never had anybody ask for extended disassembly support so I'd think at least for now it might be not a huge demand. - Security: The security history and the current state of security issues - in the package must allow us to support the package for at least 9 - months (60 for LTS support) without exposing its users to an - inappropriate level of security risks. This requires checking of several - things that are explained in detail in the subsection Security checks. + Security: + - had one CVE in the past (CVE-2017-6952) but was fixed rather fast (upstream) + - The release policy seems a bit unreliable. + Upstream only released -rc levels of 3.0.5 but calls it "the latest release" on their webpage, that feels a bit wrong at least in coparison to usual release policies (rc2 in may 2017, rc3 in July 2017, no final release yet - we have mid 2018 now) Quality assurance: - the package seems to work for the use cases it has so far - no weird packaging hacks in place The package is maintained well in Debian/Ubuntu (check out the Debian PTS) - no bugs in Ubuntu - only a "get the new Version" bug in Debian - - had one CVE in the past (CVE-2017-6952) but was fixed rather fast + - If anything updates are a bit slow, e.g. 3.0.5 which contains the CVE fix is not yet picked - OTOH this still is on -rc level UI standards: - this has a console based UI in regard to show the disassembly - not internationalized Standards compliance: - seems to be ok for FHS and Debian Policy standards Maintenance: - Due to the low demand nobody stepped up wanting to own the package for Main Background information: - the self set target is no less than "Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community." - It might be useful for debug/analysis of guests ** Changed in: capstone (Ubuntu) Status: Invalid => Incomplete ** Description changed: INFO: I think this will be a MIR nack, but I wanted to file it to document why. TL;DR: we need two things that need to change to go on with this: - prove there is a real need for this - a team has to step up wanting to own this package --- Availability: The package is in Universe at least since Xenial Rationale: IMHO currently there is a rather low interest in this. It came in by qemu in Debian now enabling it, but we never had anybody ask for extended disassembly support so I'd think at least for now it might be not a huge demand. Security: - had one CVE in the past (CVE-2017-6952) but was fixed rather fast (upstream) - The release policy seems a bit unreliable. - Upstream only released -rc levels of 3.0.5 but calls it "the latest release" on their webpage, that feels a bit wrong at least in coparison to usual release policies (rc2 in may 2017, rc3 in July 2017, no final release yet - we have mid 2018 now) + Upstream only released -rc levels of 3.0.5 but calls it "the latest release" on their webpage, that feels a bit wrong at least in coparison to usual release policies (rc2 in may 2017, rc3 in July 2017, no final release yet - we have mid 2018 now) Quality assurance: - the package seems to work for the use cases it has so far - no weird packaging hacks in place The package is maintained well in Debian/Ubuntu (check out the Debian PTS) - no bugs in Ubuntu - only a "get the new Version" bug in Debian - - If anything updates are a bit slow, e.g. 3.0.5 which contains the CVE fix is not yet picked - OTOH this still is on -rc level + - If anything updates are a bit slow, e.g. 3.0.5 which contains the CVE fix is not yet picked - OTOH this still is on -rc level (see above). packaging updates (3.0.4-<DEBVER>) are more frequent, see https://tracker.debian.org/pkg/capstone UI standards: - this has a console based UI in regard to show the disassembly - not internationalized Standards compliance: - seems to be ok for FHS and Debian Policy standards Maintenance: - Due to the low demand nobody stepped up wanting to own the package for Main Background information: - the self set target is no less than "Our target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community." - It might be useful for debug/analysis of guests -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782074 Title: [MIR] capstone To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/capstone/+bug/1782074/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
