Doing the usual MIR checks I found most of them to be good:
- Duplication: it is actually deduplicating the embedded copies
- no lintian complains about packaging
- no functional bugs in Debian / Ubuntu yet (not used that much thou)
- Upstream is at and LGTM
- no embedded other libs
- no static linking
- d/rules and d/control are very clean
- meson build seems straight forward
- hardning=+all is in place
- runs (a few) build time self-tests
- you volunteered Ubuntu-Desktop as package subscriber
- no FTBFS currently nor in the recent history
- symbols are tracked for dh_makeshlibs
- packaging hs the most current release and updates ~monthly at least for now
- LD_LIBRARY_PATH only used in build
- no sudo (or similar) usage
Not perfect, but ok:
- autopkgtest only tests pkg-config and build against libhandy-dev
- yes it has no CVEs (yet), but it is too new to really know; a security
evaluation is needed (probably ok thou since the siilar code is atm bundled in
other packages in main)
- it has internationalization prepared (po/*) but only english so far
- usually a watch file would be nice but since upstream ~= Debian and doesn't
release tarballs (but git tags) this doesn't really apply
- at least the -dev package depends on further universe packages e.g.
libgladeui-2-6 do you intend (and ensure) to only pull libhandy-0.0 but no
others to main?
Questions:
- the version number 0.0.7 is very unconvincing, does that mean it is still
chaning API/ABI frequently - do you know if there is any major release planned
that we should wait for?
- Debian bug 909075 holds it back from Debian and testing/integration there,
should we wait until that is resolved (probably post buster) to move to it as
well?
- (minor) build issue that could be resolved - do you want to contrib to Debian
to even clean those?
- "dpkg-gencontrol: warning: Depends field of package gir1.2-handy-0.0:
substitution variable ${shlibs:Depends} used, but is not defined"
- the docs might be incomplete "warning: no link for ..."
It will be nice to get the answers to the questions above resolved
before completion, but IMHO we can already assign this to security for
their review to appear on their queue.
[1]: https://source.puri.sm/Librem5/libhandy
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909075
** Bug watch added: Debian Bug tracker #909075
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909075
** Changed in: libhandy (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815483
Title:
[MIR] libhandy
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libhandy/+bug/1815483/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
