[Summary]
MIR team ACK from a packaging and code review perspective given the team
subscription is done.
This does need a security review, so I'll assign ubuntu-security.
Required:
- subscribe foundations to the package
[Duplication]
There is no other package in main providing the same functionality. This is the
main sys package used in the Go community.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking, expect Go
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- Do a lot of syscalls as integrate deeply with the targeter platform. A
security team check will be required for this reason.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does NOT have a test suite that runs as autopkgtest, but it’s a library which
will be statically built.
- no translation present, but none needed for this case?
- Go package that uses dh-golang
Problems:
- The package has no team bug subscriber (Should be Foundations, please
subscribe)
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream doest not make releases
- Debian update history is sporadic, but there is no new commits necessary
right now
- promoting this does not seem to cause issues for MOTUs that so far who
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Go Package that follows the Debian Go packaging guidelines
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
** Changed in: golang-golang-x-sys (Ubuntu)
Assignee: Didier Roche (didrocks) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1894731
Title:
[MIR] golang-*, Go build dependencies of google-guest-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-github-gcp-guest-logging-go/+bug/1894731/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
