Review for Source Package: libfile-libmagic-perl
[Summary]
This is an example of a package that does not change because it does not have
to.
It is just a very thin layer to make perl cals to `file` function without
shelling out.
70% of the code file is documentaiton, and what is left is just wrapping
the library. test are done using the autopkgtest-pkg-perl mechanism.
CVEs are not known because the would likely happen in libmagic which actually
processes content. By that simplicity and stability and despite the age the
benefit that perl has found its way to be well packaged and rarely is confusing
this is all good to go.
MIR team ACK
This does not need a security review
List of specific binary packages to be promoted to main: libfile-libmagic-perl
Specific binary packages built, but NOT to be promoted to main: n/a
[Rationale, Duplication and Ownership]
OK:
There is no other package in main providing the same functionality.
There are File::MMagic and File::Type which are older/worse and do things
internally - those two do not matter.
And then there is File::MimeInfo as in `libfile-mimeinfo-perl`, that is already
in main and provided kind of the same, but in the mime kind of way. That is
not exactly the same and keeping the delta in dependencies for that (given that
this new one seems small) would be too much.
A team is committed to own long term maintenance of this package =>
debcrafters
The rationale given in the report seems valid and useful for Ubuntu - not
that anyone would build a lot on perl anymore, but lintian is important and
this is not a huge price to maintain.
[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
- no other build-time Dependencies with active code in the final binaries
to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source (it hands that over to libmagic to do so).
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features = none, but that is ok as it is jut the lib.
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
^^ thanks to "Testsuite: autopkgtest-pkg-perl" doing all that automatically
- This does not need special HW for build or test
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code, yes it has an
.so but that is the glue between itself and libmagic, not for externals.
- debian/watch is present and ok
- Upstream update history is super-slow, but also nothing in the lib it wraps
changes.
- Debian/Ubuntu update history is slow except sporadic packaging fixes
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid (only in generated documentation AFAICS)
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems: None
** Changed in: libfile-libmagic-perl (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142465
Title:
[MIR] libfile-libmagic-perl (lintian dependency)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfile-libmagic-perl/+bug/2142465/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
