TL;DR: get the bug subscription in place and you are ready to go
Review for Source Package: lua5.5 Launchpad bug: https://bugs.launchpad.net/bugs/2155757 Target series: devel Binary packages: liblua5.5-0, liblua5.5-dev, lua5.5 [Summary] OK: - Review for Source Package: lua5.5 - Reporter MIR content found and used as context. - No further binary packages identified for promotion MIR team ACK This does not need a security review (as it is equal to the former lua5.4 in that regard). Required TODOs: - #1 this needs a team subscriber before it can be promoted Recommended TODOs: - none [Rationale, Duplication and Ownership] OK: - The rationale for upgrading the default Lua version to 5.5 for the 26.10 release is clear and valid. (The request supports the standard upgrade path for core scripting languages in Ubuntu, enabling main packages to migrate from lua5.4. This aligns with the goal of establishing lua5.5 as the main supported version for 26.10.) - There is no other package in main providing the same functionality (and you intent to migrate 5.4->5.5). [Dependencies] OK: - no other runtime Dependencies to MIR due to this - No build-time dependencies with active code embedded in final binaries detected. Standard C/C++ build with libtool; no Go/Rust static linking or vendoring patterns present. (Build-Depends are only debhelper-compat and libreadline-dev; no cargo.lock, go.sum, or vendored directories exist. The static_link_hints array is empty and no Built-Using/Static-Built-Using fields appear in the binary control output. Runtime dependencies (libc6, libgcc-s1, libstdc++6) are all standard shared libraries already in main.) - no -dev/-debug/-doc packages that need exclusion - Runtime dependencies are core system libraries (glibc, gcc, readline) which are extensively tested. (The identified runtime dependencies (libc6, libstdc++6, libgcc-s1, libreadline-dev) are fundamental components in main with robust test coverage, posing low risk of being superficially tested.) Problems: None [Embedded sources and static linking] OK: - not a go|rust package, no extra constraints to consider in that regard - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard - No vendored code detected; refresh documentation not required. (The packaging evidence indicates an empty list for vendored_dirs and no vendor targets in debian/rules, implying no embedded sources exist.) Problems: - Static linking detected without clear justification; review needed [Security] OK: - No CVEs found in Ubuntu CVE tracker or NVD enrichment for lua5.5. (Ubuntu CVE tracker and NVD enrichment report 0 CVEs for lua5.5, with no active or fixed vulnerabilities recorded.) - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - Lua5.5 is an interpreter that parses its own bytecode and source code, but runtime deps show no external parser libraries (libc6, libgcc-s1, libstdc++6 only). - Package does not expose external endpoints; it is an interpreter/library without service files. - Package is a scripting language interpreter and library, not a web content processor. - does not use centralized online accounts - Package does not integrate arbitrary JS into the desktop - does not deal with system authentication (eg, pam), etc) - Package does not handle security attestation (TPM, secure boot, signatures). - Package does not handle cryptography Problems: None [Common blockers] OK: - Non-trivial autopkgtest suite exists. - No special hardware required for build or test. - no new python2 dependency - not a python package, no extra constraints to consider in that regard - not a go package, no extra constraints to consider in that regard - does not FTBFS currently - does not have a test suite that runs at build time (but autopkgtest, explained in the report) Problems: None [Packaging red flags] OK: - symbols tracking in place - debian/watch is present and looks ok - Upstream update history is good with regular releases and active maintenance - Debian/Ubuntu update history is ok as well - the current release is packaged - no excessive lintian warnings - debian/rules appears clean and uses standard debhelper infrastructure. - It is not on the lto-disabled list - promoting this does not seem to cause issues for MOTUs that so far maintained the package Problems: None [Upstream red flags] OK: - Build uses strong hardening flags (-Werror=format-security, -fstack-protector-strong, -D_FORTIFY_SOURCE=3, -fcf-protection) and no dangerous memory-function patterns were found in the build log. Lua is a mature C codebase; no source-level scan was performed but build-time protections are solid. - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user 'nobody' outside of tests - no use of setuid / setgid - No important open bugs found in Ubuntu, Debian, or upstream trackers. (Launchpad shows only the MIR bug itself open; Debian BTS reports 0 open bugs; upstream tracker reports 0 open issues.) - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - user-visible with translation present Problems: None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2155757 Title: [MIR] lua5.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lua5.5/+bug/2155757/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
