[Summary] - the package seems fine - please subscribe the desktop team for maintenance - yes, please get this up to v3.0 for 20.04 - 3.0 has a bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819562 - on that please add .symbols tracking - on that please drop the docs embedded jquery - plenty of deprecation warnings hopefully gone in 3.0 fixes LP: #1654458 - needs security review
[Duplication] >From very far away "XML handling c++ library" there are a few candidates in >the archive. But none of them in main: - libtinyxml2-6a - libtinyxml2.6.2v5 - libxerces-c3.2 - libxmltooling8 - libxml++2.6-2v5 - libpugixml1v5 Also being a gnome lib [1] already means plenty of applications will use it. And by being a wrapper to libxml2 which is in main it is less re-coding than some alternatives. I think duplication is no issue for this MIR. [1]: https://developer.gnome.org/libxml++/stable/ [Embedded sources and static linking] OK: - there seem to be no embedded sources of other projects - no static linking - no go code [Security] OK: - no history of CVEs - no daemon as root - no webkit1,2 - no lib*v8 usage - does not open a port - does not processes arbitrary web content - does not use centralized online accounts - does not integrates arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) The only thing that applies is that: - it does parses data formats And that it does through passing it to the already maintained libxml2 [2]. I think passing potentially externally controlled XML means there should be a security review, but it seems to me this one might be small and fast. [2]: https://people.canonical.com/~ubuntu-security/cve/pkg/libxml2.html [Common blockers] OK: - builds fine atm - has and runs a test suite at build time - no python considerations needed - no translation (no user facing code) Needs: - desktop will need to be the bug subscriber [Packaging red flags] - no Ubuntu delta atm - d/watch exists - update history is somewhat slow (but upstream wasn't fast either) - not MOTU maintained - no massive Lintian warnings - debian/rules is small and clean - no golang vendoring Not too bad, but also not ok: - does have no .symbols tracking - the current release isn't packages (known todo) [Upstream red flags] - no (ignored) build errors - no incautious use of malloc/sprintf (that I'd see) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of User nobody - no use of setuid - no important bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no Embedded source copies ** Bug watch added: Debian Bug tracker #819562 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819562 ** Changed in: libxml++2.6 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843229 Title: [MIR] libxml++2.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxml++2.6/+bug/1843229/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
