[Duplication]
No duplication for this functionality in main at the moment.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication
- processes arbitrary web content
- parse data formats
=> Therefore IMHO there is no security review needed for this.
[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilizes (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
The last build was really long ago (in wily) which is concerning about
the rebuildability. But in a disco build today it worked, so it is fine.
Not perfect but ok:
- past updates to the package were sporadic (mostly as-is since intial packaging
- due to that the most current release is not packaged (only a minor upgrade)
- The server team already took a task to check viability to update to the
newest version on pypi
[Upstream red flags]
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
There is one suspicious error on build (a syntax error):
959 byte-compiling
/<<PKGBUILDDIR>>/debian/python-lazr.delegates/usr/lib/python2.7/dist-packages/lazr/delegates/_python3.py
to _python3.pyc
960 File "/usr/lib/python2.7/dist-packages/lazr/delegates/_python3.py", line
27
961 def delegate_to(*interfaces, context='context'):
962 ^
963 SyntaxError: invalid syntax
That is not critical (a bit unelegant thou).
It is a py2/py3 split that is done int __init__.py and only in the py3 case
this file is included.
In py2 where this is a syntax error it does not matter as there it is never
used.
For the py2 this file shouldn't be (tried to) pycompile at all, so room for
improvement but nothing fatal.
[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above it will not need a security review.
Note: As the Server team has updating this on their task list already,
taking a look at the syntax error mentioned above as well would be nice.
** Changed in: lazr.delegates (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820200
Title:
[MIR] lazr.delegates as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lazr.delegates/+bug/1820200/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
