Comment 11 for bug 1891157

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

FWIW, I did start the golang-gopkg-ini.v1 review before the discussion went to invalidate it, I will still post what I found in case we have another MIR one day.

golang-gopkg-ini.v1:
[Summary]
- Some work is needed as right now :
  * golang-github-smartystreets-goconvey-dev MIRing. Blocking this one
- The rest looks good both from a packaging and code POV.
- Needs security review for parsing data

[Duplication]
Nothing to add over the top request. Providing and use of Go native binding is welcome.

[Dependencies]
Needs fixing:
- golang-gopkg-ini.v1-dev depends on golang-github-smartystreets-goconvey-dev which is in universe. One way would be to separate the _test.go files from regular code one. That way, only test files are using convey and no dependency is needed. We can hope that Depends:misc DTRT.
- only one -dev package that needs to be in main due to the nature of Go library (statically linked)

[Embedded sources and static linking]
OK:
- no embedded source present
- only ship source code, so no static linking

[Security]
OK:
- no CVEs, but really fresh new package.
- it does use Go battle-proof http stack
- does not use webkit2,2
- does not use lib*v9 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- parse data formats, but only in pure Go, via consts. If one day we promote it, it will need a security review
- does not open a port
- does not run a daemon as root

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time (but fairly minimal)
  - test suite fails will fail the build upon error.
- no translation present, but none needed
- not a python package, no extra constraints to consider int hat regard
- Go package that uses dh-golang
- Team subscription is now OK

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good, but short
- there is no official release yet so it’s a git snapshot (latest upstream commit)
- promoting this does not seem to cause issues for MOTUs that so far maintained the package
- no massive Lintian warnings
- d/rules is clean and minimal
- Go package that follows the Debian Go packaging guidelines

[Upstream red flags]
OK:
- standard and comprehensible Go code.
- no use of go modules :-/ running go mod init though before running tests
- CI is running as part of upstream build. One of the targetted plateform is ubuntu-latest.
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks
- no upstream bug opened at this date (none over the lifetime of the project)