[Summary]
- This is just the review for ipp-usb, the other two are not yet reviewed.
- MIR Team ack from a packaging POV.
- This does need a security review, so I'll assign Ubuntu-security
Prereq's for Promotion:
- get the Desktop team to ack and subscribe to the packages
- prep a change to system-config-printer-udev replacing the ippusbxd dependency
- golang-gopkg-ini.v2 needs to be owned and MIR processed as well
Since the above might make the requester or the Desktop team reconsider this
I'm holding back on the two golang packages until explicitly confirmed that
this stays the way to go and that owning the package will be fine.
I'll add a task for it and set the two golang libs to incomplete - if you want
to own and MIR this provide the details and set it back to new.
Recommended:
- try to get the service more confined
[Duplication]
As mentioned by the bug report already, there is ippusbxd which is in main.
This shall be demoted from main to universe to allow just one (2) ipp-on-usb
program in main.
There is only one dependency holding it in main:
Reverse-Recommends
* system-config-printer-udev (for ippusbxd)
ipp-usb is depended on by "cups-daemon" in groovy-proposed.
Can system-config-printer-udev be changed as part of the promotion (once ready)
to be replaced to ipp-usb as well. So that we can demote ippusbxd in the same
step when we promote ipp-usb?
[Dependencies]
OK:
- no other Dependencies to MIR due to this (avahi and libusb are in main)
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking, well except the usual go lib inclusion :-/
There are more Built-Using than the bug is filed right now:
Built-Using:
- golang0.14 (= 1.14.4-1ubuntu2), (in main)
- golang-github-openprinting-goipp (= 1.0~git20200517.da79ff1-2), (part of
this MIR)
- golang-gopkg-ini.v2 (= 1.57.0-1) (Missing, this will have to be MIRed and
owned as well then.
[Security]
OK:
- history of CVEs does not look concerning, but ippusbxd had issues and we can
expect this might have as well at some point
- does not use webkit2,2
- does not use lib*v9 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does not parse data formats
- does not open a port
- does run a daemon as root
- any chance to run the service more confined e.g. protected* features of
systemd?
- if there is a chance even as non-root?
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time (but fairly minimal)
- test suite fails will fail the build upon error.
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- Go package that uses dh-golang
Problems:
- The package has a team bug subscriber
please get a full Team to subscribe to the package
The printing team (https://launchpad.net/~ubuntu-printing) is the perfect
team to actually handle things here and is subscribed already (thanks), but
you'd (in addition) need a full team to subscribe - ubuntu-desktop in this
case I guess as fallback for e.g. vacations or any other complex issue you
can't deal with alone.
- does not have a test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good, but short so who knows ... :-/
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does have Built-Using (identified an extra dependency)
- Go Package that follows the Debian Go packaging guidelines
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
[Summary]
- This is just the review for ipp-usb, the other two are not yet reviewed.
- MIR Team ack from a packaging POV.
- This does need a security review, so I'll assign Ubuntu-security
Prereq's for Promotion: config- printer- udev replacing the ippusbxd dependency
- get the Desktop team to ack and subscribe to the packages
- prep a change to system-
- golang-gopkg-ini.v2 needs to be owned and MIR processed as well
Since the above might make the requester or the Desktop team reconsider this
I'm holding back on the two golang packages until explicitly confirmed that
this stays the way to go and that owning the package will be fine.
I'll add a task for it and set the two golang libs to incomplete - if you want
to own and MIR this provide the details and set it back to new.
Recommended:
- try to get the service more confined
[Duplication]
As mentioned by the bug report already, there is ippusbxd which is in main.
This shall be demoted from main to universe to allow just one (2) ipp-on-usb
program in main.
There is only one dependency holding it in main: Recommends config- printer- udev (for ippusbxd)
Reverse-
* system-
ipp-usb is depended on by "cups-daemon" in groovy-proposed. config- printer- udev be changed as part of the promotion (once ready)
Can system-
to be replaced to ipp-usb as well. So that we can demote ippusbxd in the same
step when we promote ipp-usb?
[Dependencies]
OK:
- no other Dependencies to MIR due to this (avahi and libusb are in main)
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking, well except the usual go lib inclusion :-/
There are more Built-Using than the bug is filed right now: github- openprinting- goipp (= 1.0~git20200517 .da79ff1- 2), (part of
Built-Using:
- golang0.14 (= 1.14.4-1ubuntu2), (in main)
- golang-
this MIR)
- golang-gopkg-ini.v2 (= 1.57.0-1) (Missing, this will have to be MIRed and
owned as well then.
[Security]
OK:
- history of CVEs does not look concerning, but ippusbxd had issues and we can
expect this might have as well at some point
- does not use webkit2,2
- does not use lib*v9 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- does not parse data formats
- does not open a port
- does run a daemon as root
- any chance to run the service more confined e.g. protected* features of
systemd?
- if there is a chance even as non-root?
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time (but fairly minimal)
- test suite fails will fail the build upon error.
- no translation present, but none needed for this case (user visible)?
- not a python package, no extra constraints to consider int hat regard
- Go package that uses dh-golang
Problems: /launchpad. net/~ubuntu- printing) is the perfect
- The package has a team bug subscriber
please get a full Team to subscribe to the package
The printing team (https:/
team to actually handle things here and is subscribed already (thanks), but
you'd (in addition) need a full team to subscribe - ubuntu-desktop in this
case I guess as fallback for e.g. vacations or any other complex issue you
can't deal with alone.
- does not have a test suite that runs as autopkgtest
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good, but short so who knows ... :-/
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does have Built-Using (identified an extra dependency)
- Go Package that follows the Debian Go packaging guidelines
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks