[Summary]
- What is going to happen to sane-escl? Can we remove it from sans-backends,
not shipping if or separate it to demote it to universe?
- Can we remerge the version against latest upstream? (We lag one version
behind compared to debian testing).
- Related to above: can we resync with debian using an alternative build-dep?
(debian-build-dep | ubuntu-build-dep)?
- Will this package be brought as a recommends of another package or seeded
directly?
- Once all those questions are answered, happy to forward it to the security
team for a security review.
[Duplication]
Nothing to add over the top request if sane-escl can be removed from main.
[Dependencies]
OK:
- nothing outside main
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- no CVEs, but really fresh new package.
- does not use webkit2,2
- does not use lib*v9 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not open a port directly (but will communicate through opened port via
sane and zeroconf subcription)
- does not run a daemon as root
Problems:
- does parse a lot of data in different formats (xml, via http…): needing a
security review
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time (good size)
- test suite fails will fail the build upon error.
- no translation on CLI tool (but this is only a debugging discover command,
common to not have them here). Messages returned to Sane are translated though.
- not a python package, no extra constraints to consider int hat regard
- C package that uses dh standard tool
- Team subscription is OK
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good, but short
- upstream do regular releasse (upstream tarball are created via CI)
- promoting this does not seem to cause issues for MOTUs that so far maintained
the package
- no lintian issue
- d/rules is clean and minimal
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- no upstream bug opened at this date (51 bugs opened closed, so good upstream
hygiene)
** Changed in: sane-airscan (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1891682
Title:
[MIR] sane-airscan
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sane-airscan/+bug/1891682/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
