[Duplication] - no such function in main [Embedded sources and static linking] There is plenty of js code, but that is the actual program. None of it seems to be an embedded copy, but as Seth already mentioned IMHO javascript experts are rare within Ubuntu so be sure when you own the package to be willing and able to support it.
- no static linking - no golang [Security] There are numerous spice CVEs https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spice As well as https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=html5 Which makes it hard to search for spice-html5, but I found none and Seth has given security Ack already. Does not - runs a daemon as root - uses webkit1,2 - uses lib*v8 directly - opens a port - uses centralized online accounts - integrates arbitrary javascript into the desktop - deals with system authentication (eg, pam), etc) It does to some extend (as it is one side of a spice protocol connection): - parses data formats - processes arbitrary web content [Common blockers] - this does not actually build, so no FTBFS - Unfortunately it has no test suite to run. - openstack team is already subscribed - not a python package Not so good: It has user visible messages in browser, but I found no translation. The project just isn#t that far evolved [Packaging red flags] - no Ubuntu delta - no lib -> no symbols tracking - watch file present - Lintian is happy except usual non critical warnings - d/rules is very clean (no real build) - no golang, so no extra considerations for that Not so good: As outlined in comment #24 this seems to be potentially not meant for production level. But that is the decision of the team owning it to maintain it still (or consider alternatives). Also the current version is 0.2.1 and we only have 1.7, but that is fairly recent so that is more a "please update" for 19.10 then. [Upstream red flags] - overall it seems a bit incomplete, I asked about that in comment #24 but JamesPage said it is ok for their needs. - malloc/sprintf / sudo all doesn't really apply as it is JS code that runs in the browsers sandboxed mode - there open bugs and slow responses to them, but none critical for us - no Dependency on webkit, qtwebkit, seed or libgoa-* Not so good: This is essentially a copy of the code without any checks. If upstream adds even syntax errors we won't spot it. I know JS isn't built, but maybe we could replace the build with a syntax checker and/or other validtion tools then? [Summary] This seems ok from the MIR teams POV in general. There is a bit of a low quality expectation due to upstream considering themselves still only a prototype. I'm somewhat afraid this will be pulled in only because it "should (tm)" work with websockify. On my security concerns you have already Seth's Ack (who also wasn't too happy), so I'm not challengig that too much. We just agreed on IRC to punt spice to next cycle: [09:31] <jamespage> cpaelzer: lets push the spice-html5 to next cycle - sounds like we need to re-review anyway You have an ACK from the MIR team under a bunch of constraints outlined below which you should resolve before this can go into 19.10 then: To ensure a base level (requirement for the ack) - set someone down a day installing that fo real - use it with Openstack - (try to) use it without openstack as well - is it really providing what you want/need? TODO => State on the bug the result of your testing! - check all the general Spice CVEs if any apply to this JS based code (might just not be tracked against spcie-html5 but apply) TODO => State on the bug the result of your CVE check per CVE why they do not apply! - update to 0.2.x TODO => Then feel free to set it to "in progress" to reflect that it is approved. To make it even better (optional) - add JS checker as build replacement - add some self-tests - add autopkgtest based on your experiments above ** Changed in: spice-html5 (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1108935 Title: [MIR] websockify, spice-html5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1108935/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
