[Summary]
This package is acceptable for MIR, with my only concern being the very
long period between releases upstream, and the lack of upstream commits
pulled into Debian and/or Ubuntu between upstream releases.

This does need a security review, so I'll assign ubuntu-security after
the next MIR team mtg, if the team agrees with my review.

Notes/TODOs:
As I'm new to the MIR team, I am making this approval conditional on
MIR team review of my review at the next MIR team mtg.

[Duplication]
- There is no other package in main providing the same functionality.
  - Note: as with my review for realmd, it is possible perform manual
    configuration/steps for similar functionality; this package
    automates and simplifies much of the manual work.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - includes build dep from universe, but all binary deps are from main
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does parse data formats
- does deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
    - added forced error to src pkg to verify
- The package has a team bug subscriber
  - MIR requestor is subscribed to all realmd bugs in Ubuntu
- not a python package
- not a Go package

Problems:
- does have a test suite that runs as autopkgtest
  - this is probably ok, since there are build-time tests run, and this
    is a relatively simple package
- no translation present
  - translation would be good to have, but probably is not a requirement
    as this package provides only a single tool, and that tool is at least
    partially used by end-users indirectly through realmd.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs
  - rarely, if ever, patched in Ubuntu
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- Not Go Package

Problems:
- Debian update history is slow
  - only updates are new upstream releases
  - while upstream does commit to git often, upstream releases are sparse
    last upstream release was 6 months ago (good) but before that
    ~3.5 years ago (bad)
- Ubuntu update history is nonexistent
  - no Ubuntu patches to package for any currently supported release

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks


** Changed in: adcli (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868159

Title:
  [MIR] adcli

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1868159/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to