Review for Package: pipewire-media-session
[Summary]
No MIR team ack until the Required TODO about testing is complete. The rest
looks OK to me.
Notes:
* Required TODO:
As written in the MIR template:
RULE: - If no build tests nor autopkgtests are included, and/or if the package
RULE: requires specific hardware to perform testing, the subscribed team
RULE: must provide a written test plan in a comment to the MIR bug, and
RULE: commit to running that test either at each upload of the package or
RULE: at least once each release cycle. In the comment to the MIR bug,
RULE: please link to the codebase of these tests (scripts or doc of manual
RULE: steps) and attach a full log of these test runs. This is meant to
RULE: assess their validity (e.g. not just superficial)
I do see the rationale and difficulties due to not having usptream tests, but
the written test plan is not optional and should be part of the request as
documented. However, I don’t see it from the bug description:
"- Since there are no tests we will manually test that it's working. We plan to
use limited features since pulseaudio is staying our default sound service and
we limit the pipewire usage to what is needed for gnome-remote-desktop, which
means testing that screen recording and sharing is working under GNOME, under
xorg and wayland sessions."
This is a little bit too vague IMHO. I suggest that you write a test plan which
can be either hold in ubuntu wiki (or better), in the package itself to ensure
that the person releasing a new update have it executed before each upload.
Then, please, link it in the description so that we can refer to it later and
we can reasses the MIR status.
The net benefit is that those tests could be reused with the switch to
wireplumber.
* Recommended TODO:
Check the warning in build logs (see below)
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
Problems:
- Some dependencies in main that are only superficially tested (pipewire), but
those could be covered by the is package with the manual written solid test.
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
[Common blockers]
OK:
- does not FTBFS currently
- no new python2 dependency
Problems:
- does not have a test suite that runs at build time
- does not have a non-trivial test suite that runs as autopkgtest
- no written test plan, code log provided
- not covered via other end to end autopkgtests
-> see the required TODO.
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- Can’t assess upstream update (only 2 releases so far)
- Can’t asses Debian/Ubuntu update history due to above
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- translation is present
Problems:
- It seems some potential out of bound memcopy is done triggering a warning at
build-time:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: warning: ‘memcpy’
offset [1025, 9223372036854775807] is out of the bounds [0, 1024] of object
‘buffer’ with type ‘char[1024]’ [-Warray-bounds]
29 | return __builtin___memcpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30 | __glibc_objsize0 (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/policy-node.c: In function ‘check_passthrough.part.0’:
../src/policy-node.c:232:14: note: ‘buffer’ declared here
232 | char buffer[1024];
| ^~~~~~
Could this be investigated?
** Changed in: pipewire-media-session (Ubuntu)
Assignee: Didier Roche (didrocks) => (unassigned)
** Changed in: pipewire-media-session (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1952924
Title:
[MIR] pipewire-media-session
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pipewire-media-session/+bug/1952924/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
