Review for Source Package: atkmm
MIR bug: https://bugs.launchpad.net/ubuntu/+source/atkmm/+bug/2155204

[Summary]
This is a re-review triggered by the source package rename from atkmm1.6
(in main since Ubuntu 14.04, predating formal MIR documentation) to atkmm.
The package is a thin, generated C++ binding around ATK with no daemons,
no privileged code and no parsing of untrusted input. The rename itself
introduces no new code or dependencies, and the binaries have already been
promoted in the development series with desktop-packages subscribed.

MIR team ACK

This does not need a security review.

List of specific binary packages to be promoted to main: libatkmm-1.6-1v5,
libatkmm-dev, libatkmm-doc, libatkmm-1.6-dev (transitional),
libatkmm-1.6-doc (transitional)
Specific binary packages built, but NOT to be promoted to main: none

Required TODOs: none
Recommended TODOs:
1. The package has neither a build-time test suite nor an autopkgtest.
   Given it is a generated wrapper library this is tolerable (coverage
   comes indirectly through the gtkmm stack), but even a trivial
   build-and-link autopkgtest against the -dev package would be an
   improvement.

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality;
  this is the same source that was already in main, under a new name.
- A team is committed to own long term maintenance of this package:
  desktop-packages is subscribed, and Debcrafters committed in the bug to
  supporting any regressions.
- The rationale given in the report seems valid and useful for Ubuntu:
  atkmm is a source rename of a package already in main and is needed by
  the gtkmm/GTK3 accessibility stack.

[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
  (libatk1.0, libglibmm-2.4, libsigc++-2.0, libstdc++ - all in main)
- no other build-time Dependencies with active code in the final binaries
  to MIR due to this
- no -dev/-debug/-doc packages that need exclusion; the -dev and -doc
  packages were already in main under the old names and the transitional
  packages are needed for the rename
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present (the MSVC_NMake/gendef helper is
  Windows-only build tooling and not shipped in the binaries)
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (no known CVEs for atkmm)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features; as a plain shared library with no privileged
  execution context, no additional isolation is applicable

Problems: None

[Common blockers]
OK:
- does not FTBFS currently (2.28.5-1 built and published on all
  architectures in the development series)
- This does not need special HW for build or test
- the library alone only does rather simple things (generated wrappers
  around ATK); the overall solution is exercised through the gtkmm stack
  and its reverse dependencies
- no new python2 dependency
- not a Python package
- not a Go package

Problems:
- does not have a test suite that runs at build time and does not have an
  autopkgtest; see Recommended TODO 1. Accepted as a compromise for this
  grandfathered wrapper library.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta (synced from Debian unstable)
- For c++ libraries - symbols tracking isn't in place; as with the rest
  of the GNOME C++ (mm) stack, tracking mangled C++ symbols is not
  practical and ABI breaks are handled by package renames instead (the
  v5 suffix in libatkmm-1.6-1v5 stems from the libstdc++ ABI transition)
- debian/watch is present and looks ok (tracks the 2.28 series, which is
  intentional as the 2.36 API series is not packaged)
- Upstream update history is slow, which is expected for a mature,
  maintenance-only branch of a deprecated toolkit API
- Debian/Ubuntu update history is good (regular uploads by the Debian
  GNOME team, current maintainer is an Ubuntu developer)
- the current release is packaged (2.28.5 is the latest in the 2.28
  series)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings; the missing standalone LGPL-2.1+
  paragraph in debian/copyright was reviewed and deemed acceptable since
  the license text is already referenced there (see Notes)
- debian/rules is rather clean (17 lines, plain dh with meson)
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build (per the published builds)
- no incautious use of malloc/sprintf (as far as we can check it;
  generated C++ bindings using glibmm memory management)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (library, no
  user visible strings)

Problems: None


** Changed in: atkmm (Ubuntu)
     Assignee: Myles Penner (mylesjp) => (unassigned)

** Changed in: atkmm (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155204

Title:
  [MIR] atkmm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/atkmm/+bug/2155204/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to