Comment 10 for bug 1891157
Revision history for this message
| Didier Roche-Tolomelli (didrocks) wrote | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
2eb648a
demo site
(Get the code!)
Note: There is still some unanswered question Christian asked on ipp-usb about confinement and the daemon that needs to be answered before going further.
golang-
[Summary]
- MIR Team ack from a packaging and code POV.
- Needs Security team review
[Duplication]
Nothing to add over the top request. Providing and use of Go native binding is welcome.
[Dependencies]
OK:
- no other Dependencies to MIR
- only one -dev package that needs to be in main due to the nature of Go library (statically linked)
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking, only ship source code
[Security]
OK:
- no CVEs, but really fresh new package.
- it does use Go battle-proof http stack
- does not use webkit2,2
- does not use lib*v9 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- parse data formats, but only in pure Go, via consts. Should be safe but better to double check with Security
- does not open a port
- does not run a daemon as root
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time (but fairly minimal)
- test suite fails will fail the build upon error.
- no translation present, but none needed
- not a python package, no extra constraints to consider int hat regard
- Go package that uses dh-golang
- Team subscription is now OK
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good, but short
- there is no official release yet so it’s a git snapshot (latest upstream commit)
- promoting this does not seem to cause issues for MOTUs that so far maintained the package
- no massive Lintian warnings
- d/rules is clean and minimal
- Go package that follows the Debian Go packaging guidelines
[Upstream red flags]
OK:
- standard and comprehensible Go code.
- use of go modules.
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
- no upstream bug opened at this date (none over the lifetime of the project)