[Summary] With only minor issues noted below, this appears appropriate for an ACK from the MIR team; as fwupd is already in main and this is simply split off from that package, and required for newer versions of the package, it makes sense to include this in main as well.
This does need a security review, so I'll assign ubuntu-security Notes/TODOs: I do think the few minor issues should be fixed as noted below and summarized here: - Fix CVE-2020-10759 in Focal libjcat - Fix minor build warnings - Foundations should subscribe to the package bugs Also as noted below, the 'jcat-tool' program ideally should have translations, but since the primary use of this package is (presumably) as a library for fwupd, lack of translations for the only tool does not seem worth blocking MIR. [Duplication] - There is no other package in main providing the same functionality. * fwupd previously provided this, but split it off [Dependencies] OK: no other Dependencies to MIR due to this Problems: - dev and test binaries that should be excluded from main: * libjcat-dev * libjcat-tests [Embedded sources and static linking] OK: no embedded source present no static linking [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - history of CVEs is small (1 CVE), which is fixed in fwupd but not libjcat in focal * https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10759.html * note that nothing in focal actually uses libjcat, so this is probably ok - does parse data formats * lib purpose is "reading and writing gzip-compressed JSON catalog files" [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time * build test suite is only 2 tests, but it does exist - test suite fails will fail the build upon error. * verified by adding forced failure to one of test cases - does have a test suite that runs as autopkgtest - not a python package, no extra constraints to consider int hat regard - no new python2 dependency - not Go package Problems: - The package has no team bug subscriber * as this pkg is broken out from fwupd, the team bug subscriber should probably be the same * fwupd bug subscriber is Ubuntu Foundations Bugs - no translation present * only user-visible tool is 'jcat-tool' [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is good * however, the project is VERY new, as it was just split off fwupd - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package * the package has no Ubuntu delta and is too new - no massive Lintian warnings - d/rules is rather clean - not using Built-Using - not Go Package [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks Problems: - minor warnings during the build: * build warning about wrong meson version target: WARNING: Project specifies a minimum meson_version '>=0.49.2' but uses features which were added in newer versions: * 0.50.0: {'install arg in configure_file'} * 0.51.0: {'modules arg in python.find_installation'} * several warnings when building docs * dpkg-gencontrol: warning: Depends field of package libjcat-dev: substitution variable ${shlibs:Depends} used, but is not defined ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10759 ** Changed in: libjcat (Ubuntu) Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884003 Title: [MIR] libjcat To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libjcat/+bug/1884003/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
