[Summary] - All dependencies should be filed as MIR (and their dependencies). - Would be nice to have the services more confined via systemd. - Once done and dependencies are ACKed, this is fine by me, but will need a security review.
[Duplication] OK: Nothing to add over the top request as it’s a code split. [Dependencies] TO BE FIXED: Most of build-deps are in universe: * golang-github-go-ini-ini-dev binary and source package is in universe * golang-github-golang-groupcache-dev binary and source package is in universe * golang-github-kardianos-service-dev binary and source package is in universe * golang-github-tarm-serial-dev binary and source package is in universe * golang-github-gcp-guest-logging-go-dev does not exist (pure virtual?) * golang-google-cloud-dev binary and source package is in universe * golang-google-grpc-dev binary and source package is in universe * golang-goprotobuf-dev binary and source package is in universe Contrary to other languages, those needs to be in main even if they are build dependencies. Indeed, the static linking nature of Go will make the code embedeed and executed, and so, the main package rules apply for them. I only check one level deep, you should attach to this MIR any dependencies of those dependencies ofc. [Embedded sources and static linking] OK: - no embedded source present - staticly link Go packages as the nature of the coede. [Security] OK: - no CVEs, but really fresh new package. - does not use webkit2,2 - does not use lib*v9 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not open a port directly (but will communicate through opened port via sane and zeroconf subcription) Problems: - multiple services running as root: can they be confined via systemd directives? Needs a security review - comunicate with external services: Needs a security review [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time (good size) - test suite fails will fail the build upon error. - no translation on CLI tool (but this is only a debugging discover command, common to not have them here). Messages returned to Sane are translated though. - not a python package, no extra constraints to consider in that regard - use of dh_golang - Team subscription is OK TO FIX: - debian/copyright is wrong: copyright holder should be Copyright: 2017-2020 Google Inc from source headers [Packaging red flags] OK: - Ubuntu only package - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Ubuntu update history is good, but short - Upstream is active, but without release. Note that d/watch is pointing correctly to fetch a version. However, the project is seeing fewer changes for the past months (only small fixes), so the lack of release isn’t much of an issue for stable code. - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no lintian issue - d/rules is clean and minimal - d/control standard for Go package [Upstream red flags] OK: - use of Go modules. Note that dependencies are slightly outdated (and so, can differ from our non vendor version in ubuntu) - standard Go code style - good upstream testsuite (not hooked up to public CI though). No use of subtests though (old range loop style, probably due to old code) - no Errors/warnings during the build - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - few upstream bug opened at this date (6 bugs opened, so good upstream hygiene) ** Changed in: google-guest-agent (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1891929 Title: [MIR] google-guest-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/google-guest-agent/+bug/1891929/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs