golang-github-go-ini-ini [Summary] MIR team ACK under the condition that the subscription is added. This also does need a security review, so I'll assign ubuntu-security.
Required: - subscribe foundations to the package TODOs: - Tests are actively disabled in d/rules atm. TA check for enabling them before promoting will be really appreciated. - Evaluate updating to a newer version. [Duplication] I didn’t find any duplication in main, and this package is the most well known ini parser. It’s imported but a bunch of project: https://pkg.go.dev/github.com/go-ini/ini?tab=importedby [Dependencies] OK: - no other dependencies [Embedded sources and static linking] OK: - no embedded source present - Go statically link by essence [Security] OK: - history of CVEs does not look concerning - does not open a port - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does run a daemon as root Problems: - parse data formats (ini file). A security team check will be required for this reason. [Common blockers] OK: - does not FTBFS currently - no translation present, but none needed for this case - not a python package, no extra constraints to consider in that regard - Go package that uses dh-golang TODO: Problems: - does have a test suite that do not run at build time nor as autopkgtests. It has some benchmarks and tests. I think tests are disabled because it’s using go-convey. But it can be kept as a build-deps only. - The package has no team bug subscriber (Should be Foundations, please subscribe) [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream does regular release - The package is way behind upstream code (1.61.0 vs 1.32.0) and is 2 years old - Debian/Ubuntu update history is ok - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Go Package that follows the Debian Go packaging guidelines Warning: - The package is way behind upstream code (1.61.0 vs 1.32.0) and is 2 years old [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (Go) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Changed in: golang-github-go-ini-ini (Ubuntu) Assignee: Didier Roche (didrocks) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1894731 Title: [MIR] golang-*, Go build dependencies of google-guest-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-github-gcp-guest-logging-go/+bug/1894731/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
