[Duplication] This is part of the six core packages of mailman3 that pull in further components as needed. Since this represents mailman doing mailing list processing there is a duplication to mailman2. But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.
[Embedded sources and static linking] This package does not contain embedded library sources. This package doe not statically link to libraries. No Go package [Security] I can confirm that there seems to be no CVE/Security history for this package. But there is enough for mailman2 (and a bit for 3) that we should expect not (much) less in the future when it becomes more widely used. => https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman It Does not: - run a daemon as root - uses old webkit - uses lib*v8 directly - open a port - integrates arbitrary javascript into the desktop - deals with system authentication - uses centralized online accounts But it does: - processes arbitrary web content - parse data formats This is the web UI to the archiving (hyperkitty). A security review is recommended on this package. [Common blockers] - builds fine at the moment - server Team committed to subscribe once this gets promoted (enough for now) - code is not user visible, no translation needed - dh_python is used - package produces python2 bits, but they are not pulled into main by mailman3 - build time tests and in addition autopkgtest are run [Packaging red flags] - no current ubuntu Delta to evaluate - no library with classic symbol tracking - watch file is present - Lintian warnings are present bug ok - debian/rules is rather clean - no usage of Built-Using - no golang package that would make things harder [Upstream red flags] - no suspicious errors during build (a few warnings, but nothing serious) - it is pure python, so no incautious use of malloc/sprintf - no use of sudo, gksu - no use of pkexec - no use of LD_LIBRARY_PATH - no important open bugs - no Dependency on webkit, qtwebkit, libgoa-* - no embedded copies in upstream either [Summary] Ack from the MIR-Teams POV, but as outlined above a security review is recommended. Assigning the security Team. ** Changed in: hyperkitty (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820196 Title: [MIR] hyperkitty as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/hyperkitty/+bug/1820196/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
