-- For JQ -- [Summary] MIR Team ack, but a security team review is required.
Recommended but optional: - adding a autopkgtest would be useful to detect issues early on [Duplication] There is no other package in main providing the same functionality yet. [Dependencies] OK: - no other Dependencies to MIR due to this (other than the already listed ones) - There is a dev package that will be auto-promoted, but without further problematic dependencies. [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning (wo cases, both seemed handled well) - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does not parse data formats Since there were issues with the parsing in the past this is worth a security review. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - not a python package, no extra constraints to consider int hat regard Problems: - does not have a test suite that runs as autopkgtest currently unsure what to test on top of the build time tests, if there are bugs and lessons learned down the road those should be added. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is good (releases not too often, but fixes seem to be in time) - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - crash but minor https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943558 - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Bug watch added: Debian Bug tracker #943558 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943558 ** Changed in: jq (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889248 Title: [MIR] mdevctl, jq, libonig To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
