I reviewed glycin 1.2~beta.1+ds-2 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> Glycin is a sandboxed image loading library which allows to decode images
> into gtk:Texture structs and to extract image metadata.
> This MIR is conducted because `glycin` is a dependency of `loupe`, the
> new default image reader of gnome.
- CVE History
- none
- Build-Depends
- debhelper-compat
- meson (universe)
- libcairo2-dev
- libgtk-4-dev
- libheif-dev (universe)
- cargo:native
- rustc:native
- libstd-rust-dev
- librust-async-fs-2+default-dev (universe)
- librust-async-io-2+default-dev (universe)
- librust-async-lock-3+default-dev (universe)
- librust-blocking-1+default-dev (universe)
- librust-cairo-rs-0.20+default-dev (universe)
- librust-env-logger-0.11+humantime-dev (universe)
- librust-futures-channel-0.3+default-dev (universe)
- librust-futures-lite-2+default-dev (universe)
- librust-futures-task-0.3+default-dev (universe)
- librust-futures-timer-3+default-dev (universe)
- librust-futures-util-0.3+default-dev (universe)
- librust-gdk4-0.9+default-dev (universe)
- librust-gdk4-0.9+v4-16-dev (universe)
- librust-gio-0.20+default-dev (universe)
- librust-glib-0.20+default-dev (universe)
- librust-glycin-2+default-dev (universe)
- librust-glycin-utils+default-dev (universe)
- librust-glycin-utils+async-io-dev (universe)
- librust-glycin-utils+loader-utils-dev (universe)
- librust-gufo-0.2+all-image-formats-dev (universe)
- librust-gufo-0.2+default-dev (universe)
- librust-gufo-common-0.2+serde-dev (universe)
- librust-gufo-exif-0.2+default-dev (universe)
- librust-gufo-jpeg-0.2+default-dev (universe)
- librust-image-0.25+default-dev (universe)
- librust-jpeg-encoder-0.6+default-dev (universe)
- librust-jpegxl-rs-0.10+image-dev (universe)
- librust-jpegxl-sys-0.10+default-dev (universe)
- librust-lcms2-6+default-dev (universe)
- librust-lcms2-sys-4+default-dev (universe)
- librust-libc-0.2+default-dev (universe)
- librust-libseccomp-0.3+default-dev (universe)
- librust-libheif-rs-1+default-dev (universe)
- librust-librsvg-rebind-0.1+default-dev (universe)
- librust-log-0.4+default-dev (universe)
- librust-memfd-0.6+default-dev (universe)
- librust-memmap2-0.9+default-dev (universe)
- librust-nix-0.29+fs-dev (universe)
- librust-nix-0.29+resource-dev (universe)
- librust-nix-0.29+signal-dev (universe)
- librust-paste-1+default-dev (universe)
- librust-rmp-serde-1+default-dev (universe)
- librust-safe-transmute-0.11+default-dev (universe)
- librust-serde-1+derive-dev (universe)
- librust-static-assertions-1+default-dev (universe)
- librust-system-deps-7+default-dev (universe)
- librust-thiserror-1+default-dev (universe)
- librust-tokio-1+fs-dev (universe)
- librust-tokio-1+rt-dev (universe)
- librust-tokio-1+rt-multi-thread-dev (universe)
- librust-tokio-stream-0.1+fs-dev (universe)
- librust-tracing-0.1+default-dev (universe)
- librust-tracing-subscriber-0.3+fmt-dev (universe)
- librust-tracing-subscriber-0.3+env-filter-dev (universe)
- librust-yeslogic-fontconfig-sys-5+default-dev (universe)
- librust-zbus-5+p2p-dev (universe)
- librust-zune-jpeg-0.4+default-dev (universe)
- pre/post inst/rm scripts
- none
- init scripts
- none
- systemd units
- none
- dbus services
- none
- only interaction with dbus is in test suite
- setuid binaries
- none
- binaries in PATH
- uaudit reported a lack of stack protection flags on binaries
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- a test suite is run at build time, the build fails if it fails
- there are no autopkgtests
- cron jobs
- none
- Build logs
- no errors
- several warnings:
- unused imports
- unreacheable code
- unused methods/structs/traits
- mutable/shared reference to mutable static
- use of deprecated traits and unit variants
- Processes spawned
- none
- Memory management
- many uses of "unsafe" code blocks (necessary to interface with C libs)
- many uses of raw pointers (once again, necessary to work with C libs)
- File IO
- nothing stands out
- Logging
- nothing stands out
- Environment variable usage
- nothing stands out
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- none
- Use of temp files
- none
- some are created/used by the test suite
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- build-aux/dist-vendor.sh:6 lacks double quotation in the inner context
- Any significant bandit results
- processes spawned with relative paths in tests and packaging scripts
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
Relatively young project with active community, some stats about
upstream:
- Gnome gitlab repo created on May 21, 2023
- 445 commits, 4 releases
- 5 days since most recent commit
- 301 project members
- 4 open merge requests, 161 total
Security team ACK for promoting glycin to main, on condition that rust
dependencies are vendored in instead of relying on source packages.
** Changed in: glycin (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093182
Title:
[MIR] glycin
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glycin/+bug/2093182/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
