A quick packaging check seems fine (this isn't a full review as it was in main already). d/watch present, d/rules reasonable and lintian sort of happy. A few like: W: luit source: build-depends-on-obsolete-package Build-Depends: pkg-config => pkgconf But that isn't a blocker.
The only CVE is super old and not a problem anymore AFAICS. https://www.cve.org/CVERecord?id=CVE-2009-0141 It is a bit outdated though, with newer releases on: - 2023-02-05 - 2024-01-02 So we'd usually ask to update it before promotion. But for this special case let us at least ensure it does not go backward. --- The old embedded luit is from cat debian/watch.luit #git=git://anongit.freedesktop.org/xorg/app/luit version=3 opts="pgpsigurlmangle=s/$/.sig/" \ https://xorg.freedesktop.org/releases/individual/app/ luit-(.*)\.tar\.gz That had releases until 2012 with v1.1.1. I compared a lot of - https://invisible-mirror.net/archives/luit/ vs - https://xorg.freedesktop.org/releases/individual/app/ going down that route I found the enlightening https://gitlab.freedesktop.org/xorg/app/luit/-/commit/2aaa5d75f1b92a5383af676dbd7f0998e26023ac We're not seriously maintaining this tool, we should stop pretending. ... This particular version of luit is vestigial. It's been hacked at randomly since X.Org 6.7, but is not actively maintained and has known issues. You are almost certainly better off using Thomas Dickey's version, which can be found at: http://invisible-island.net/luit/ The changelog of the luit embedded in x11-utils pulls back fixes from the one we now move to. example: 233 commit fddfe30c3ff91c83d0484b136e7673764e555555 234 Author: Jeremy Huddleston <[email protected]> 235 Date: Thu Jul 1 09:35:39 2010 -0700 236 237 Integrate changes from Thomas Dickey's luit-20100601 fork 238 ···· 239 * add -alias option to allow override of locale.alias pathname. 240 * improve fix waitForInput as suggested in Freedesktop #26383. 241 * fix warnings from clang --analyze 242 ···· 243 Signed-off-by: Jeremy Huddleston <[email protected]> The METRICS section of https://invisible-island.net/luit/ even compares the two. per release. It seems this goes back to 2009 https://lists.x.org/archives/xorg/2009-April/044897.html where xorg forked it, but as shown above has since then stopped maintenance and recommends the luit we now evaluate here. The question in regard to "is it ok" essentially is if anything concerning landed since that makes this require a bigger re-review. Reading https://invisible-island.net/luit/luit.log.html since ~2010 should match that. Rough count: - fix 11 - improve 18 - documentation 6 - features 13 - thereof concerning 0 - Almost all features are furthermore from 2013 and likely would have shown their brokenness since. Summary: - It is the same original codebase orignally - What we had in main evolved independently for a while under xorg - Xorg considers their version abandoned and recommends the invisible-islands version - That matches how the packaging changed to src:luit now (it is the better option) - None of the changes since forked seem concerning I think we can indeed promoted that as being (almost, actually better) the same to what we had in main already. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0141 ** Changed in: luit (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2078827 Title: [MIR] luit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/luit/+bug/2078827/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
