Review for Source Package: src:librdkafka
[Summary]
Package librdkafka is a C library implementation of the Apache Kafka protocol,
providing Producer, Consumer and Admin clients. It was designed with message
delivery reliability and high performance in mind, current figures exceed 1
million messages/second for the producer and 3 million messages/second for the
consumer.
MIR team ACK under the constraint to resolve the below listed required
TODOs and as much as possible having a look at the recommended TODOs.
List of specific binary packages to be promoted to main: All
Specific binary packages built, but NOT to be promoted to main: None
Notes:
#0 - Currently, no other package in main appears to Depend on, or Recommend,
librdkafka. It is a build-dependency to a few packages. This needs
clarification from the reporter.
Required TODOs:
#1 - The package should get a team bug subscriber before being promoted
#2 - The binary packages that are to be promoted to main are not listed. It is
assumed
that all the three (librdkafka1, librdkafka++1, librdkafka-dev) are to be
promoted.
Kindly confirm.
#3 - The intent to have src:librdkafka in main is not yet clear. No other
package in main
seems to have librdkafka in Depends or Recommends. If you intend to
introduce it as a
runtime dependency for another package in future, kindly share the plan.
#4 - The current upstream release (v2.11.0) is not packaged. Please package
this release
or provide an explanation for not doing so.
Recommended TODOs:
#5 - The upstream build reports around 1360 warnings. Please consider fixing
these.
This does need a security review, so I'll assign ubuntu-security.
=> The upstream project vendors code from other projects. This needs a security
assessment.
=> The CVE history is not significant.
[Rationale, Duplication and Ownership]
OK:
- There is no other package in main providing the same functionality.
Problems:
- A team is committed to own long term maintenance of this package.
=> Please have a team subscribed to the package.
- No reverse-depends or reverse-recommends currently in main
=> Please specify why it is desirable to have this package in main.
Please note that build-dependencies of main packages may be in universe.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends and
Recommends)
that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more
tests in main
Problems: None
[Embedded sources and static linking]
OK:
- no static linking
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- does not have unexpected Built-Using entries
Problems:
- upstream embedded sources present, the packaging seems to override use of
embedded lz4 only
=> src/lz4*, src/cJSON*, src/nanopb/*, src/opentelemetry/*, src/tinycthread*
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
- does parse data formats (json, protocol buffers) from untrusted sources
- does expose a configurable, external endpoint
- no risk mitigation features used for this known exposure
=> This may not be a problem
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- not a Python package
- not a Go package
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place.
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- the current upstream release (v2.11.0) is not packaged
[Upstream red flags]
OK:
- no incautious use of malloc/sprintf
=> malloc() wrapped into rd_malloc()
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- no translation present, but none needed for this case (user visible)?
Problems:
- 1362 warnings in upstream build
- 523 instances of "warning: ‘free’ called on unallocated object"
- 838 instances of "warning: 'free' called on pointer"
- warning: ‘CURLOPT_PROTOCOLS’ is deprecated: since 7.85.0
** Changed in: librdkafka (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => (unassigned)
** Changed in: librdkafka (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119045
Title:
[MIR] librdkafka
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/librdkafka/+bug/2119045/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
