[MIR] duktape
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
duktape (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
[Availability]
The package duktape is already in Ubuntu universe.
The package duktape build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https:/
[Rationale]
- The package duktape is required in Ubuntu main for updating polkit.
Upstream polkit landed an alternative option to use duktape instead
of mozjs. duktape is a much smaller JavaScript implementation and
simpler code-base to maintain than mozjs, and Debian is going to use
it.
- Support for JavaScript-based rules in polkit have also been
requested in enterprise desktop use-cases.
- The package duktape is required in Ubuntu main no later than Feb 23
due to feature freeze.
[Security]
- Had 1 security issue in the past
- https:/
- https:/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu, and currently has
only one normal and one wishlist bug open
and long term critical bugs open
- Ubuntu https:/
- Debian https:/
https:/
https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because it currently
does not have a test suite (duktape itself does, but not its Debian
package).
- The package does not run an autopkgtest because it doesn't have one.
- The package does not have failing autopkgtests right now.
- The package can not be tested at build time because upstream does
not include tests in their release tarballs, which is what the
Debian packaging uses -- though I've opened an upstream issue for
this, requesting inclusion of their test suite in release tarballs:
https:/
For now, in lieu of that, there is a test plan and example test
logs, as well as a proposed autopkgtest, included in a separate
comment below.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Link to a recent build log of the package
https:/
- Full output from `lintian --pedantic` attached as an extra post.
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to d/rules
https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be desktop-packages
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
The Package description explains the package well
Upstream Name is Duktape
Link to upstream project https:/
CVE References
description: | updated |
description: | updated |
tags: | added: update-excuse |
Changed in duktape (Ubuntu): | |
status: | Incomplete → New |
Changed in duktape (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
Changed in duktape (Ubuntu): | |
status: | New → Incomplete |
Changed in duktape (Ubuntu): | |
assignee: | Didier Roche-Tolomelli (didrocks) → nobody |
description: | updated |
description: | updated |
Changed in duktape (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
tags: | added: sec-1608 |
Changed in duktape (Ubuntu): | |
status: | Incomplete → New |
description: | updated |
Changed in duktape (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Amin Bandali (bandali) |
Test plan for duktape
1. Install the required packages, clone the upstream source repo,
checkout the git tag corresponding to the release version you'd
like to test, and run `make check'. For example:
sudo apt install devscripts git npm python2 python-yaml /github. com/svaarala/ duktape. git
git clone https:/
cd duktape
git checkout v2.7.0
make test
Note that this is currently a bit tricky since the test suite for
the latest upstream duktape release uses Python 2, which is no
longer packaged in upcoming Debian or Ubuntu releases. The scripts
have been ported to Python 3 on upstream's `master' branch, but the
change is not included in any existing release.
2. Install build-essential and pkg-config, and build and install /duktape. org and verify it produces the expected output.
duktape itself. Then, compile and run the simple test.c from
https:/
Alternatively, this can be done automatically as an autopkgtest
per the attached tarball.