[MIR] gsasl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gsasl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
mutt (Debian) |
Fix Released
|
Unknown
|
|||
mutt (Ubuntu) |
Fix Released
|
Undecided
|
William Wilson |
Bug Description
[Summary]
* Everything seems in order with this package, but it should
be reviewed by the security team due to the nature of the package.
* Build log: https:/
[Availability]
* The package is already available in Ubuntu universe and builds for the required architectures
[Rationale]
* mutt (which is in main) used to depend on cyrus-sasl. Due to a
licensing conflict between mutt and cyrus-sasl, it has been updated
to use gsasl and drop the dependency on cyrus-sasl. This change
has been made in Debian. Mutt is used by a large part of our
user base, so continuing to provide it is important.
[Security]
* Package gsasl and associated libraries do not have any
security red-flags, but should still be reviewed by
the security team due to the nature of the package (it
authenticates users to servers)
* No CVEs/security issues in this software in the past
* No `suid` or `sgid` binaries
* No executables in `/sbin` and `/usr/sbin`
* Package does not install services, timers or recurring jobs
* Package does not open privileged ports (ports < 1024)
[Quality assurance - function/usage]
* The package works well right after install
[Quality assurance - maintenance]
* The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
* The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
* The package runs a test suite on build time, if it fails
it makes the build fail
* The package runs an autopkgtest, and is currently passing
[Quality assurance - packaging]
* debian/watch is present and works
* debian/control defines a correct Maintainer field
* This package does not yield massive lintian Warnings, Errors
* Full output of `lintian --pedantic`:
```
P: gsasl source: update-
P: gsasl source: very-long-
P: gsasl source: very-long-
P: gsasl source: very-long-
P: gsasl source: very-long-
```
* Lintian overrides are present, but ok because upstream does
not provide source-only tarballs
* This package has no python2 or GTK2 dependencies
* Packaging and build is easy. d/rules is concise and readable
[UI standards]
* Application is end-user facing, Translation is present, via gettext
[Dependencies]
* libgsasl-dev depends on a package from src:libntlm. MIR for
libntlm is here: https:/
[Standards compliance]
* This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
* Owning Team will be foundations
* Team is not yet, but will subscribe to the package before promotion
* This does not use static builds
* This does not use vendored code
* The package successfully built during the most recent test rebuild
[Background information]
* The Package description explains the package well
* Upstream Name is GNU SASL
* Upstream Link is https:/
CVE References
description: | updated |
tags: | added: fr-2362 |
Changed in mutt (Debian): | |
status: | Unknown → Fix Released |
Changed in gsasl (Ubuntu): | |
assignee: | nobody → William Wilson (jawn-smith) |
Changed in gsasl (Ubuntu): | |
milestone: | none → ubuntu-22.10 |
description: | updated |
Changed in gsasl (Ubuntu): | |
assignee: | William Wilson (jawn-smith) → nobody |
status: | Incomplete → New |
tags: | added: update-excuse |
Changed in gsasl (Ubuntu): | |
assignee: | nobody → Didier Roche (didrocks) |
Changed in gsasl (Ubuntu): | |
status: | Incomplete → New |
Changed in gsasl (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in mutt (Ubuntu): | |
status: | New → Fix Released |
Thanks, since it is tracking only I assigned it to you.
So it will be in update-excuses, but not show up in the MIR reports.