This is a special case, as we have the newer versions already in main in Bionic.
Therefore the evaluation checks if the older version has CVEs, packaging issues
and such - but is no full re-evaluation.
[Duplication]
No duplication, it is one of the more common python backends for cryptography.
[Embedded sources and static linking]
- no embedded sources
- no static linking
- no golang
[Security]
This is one of the biggest parts of the re-check as we need to ensure that the
older version has no known or unmaintainable deficiencies
But it seems fine - no existing CVEs associated.
It still is security sensitive, as it's purpose is to handle tokens that
entitle users of a given feature.
Therefore I'd want an ack by the ubuntu-security team - which given it is a
re-review should go fast as well.
[Common blockers]
- builds fine in Xenial last time, I asked for a rebuild to prove that also
trusty will be fine
- Testsuite is running and blocking build on Xenial as well as on newer versions
- the server team is already subscribed to the package
- no user visible output that needs translation
- only python3 dependencies are used (but then for Xenial/Trusty this wouldn't
even be important)
- dh_python is in use
[Packaging red flags]
- no Ubuntu delta?
- a symbols file is tracking ABI on build
- debian/watch present
- updates were ok so far (it isn't moving too fast thou)
- no massive Lintian warnings
- very clean d/rules (almost only dh @)
[Upstream red flags]
- no build errors on the Xenial version that will be added to main
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- one older bug, but nothing serious or affecting the MIR
- no dependency on webkit, qtwebkit, seed or libgoa-*
[Summary]
As expected - since the newer versions are already in main - this wasn't too
critical.
After comparing the differences of the version in main in bionic to what shall
be promited in Xenial/Trusty there were no blockers identified.
TODOs:
@Chad - since this wasn't built a long time in Xenial and never before in
Trusty. Could you please provide a PPA that builds the set of three packages in
both Releases?
@Security - this package does cryptography, so IMHO security ack is
needed. The reason for that is that the version in main is libsodium23
at 1.0.16-2 or higher but for Xenial/Trusty it will be libsodium18 at
1.0.8-5 (as in Xenial). I'll do the assign on the bug tasks.
** Changed in: libsodium (Ubuntu Trusty)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
** Changed in: libsodium (Ubuntu Xenial)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1621386
Title:
[MIR] libsodium
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsodium/+bug/1621386/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
