[Bug 1972866] Re: [MIR] gsasl
Didier Roche
1972866 at bugs.launchpad.net
Wed Jun 22 07:02:00 UTC 2022
ACK on the changes. I looked at
https://launchpadlibrarian.net/608367114/gsasl_1.11.3-3_2.0.0-1.diff.gz
too and nothing is scary.
Let’s what for the security team review now.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mutt in Ubuntu.
https://bugs.launchpad.net/bugs/1972866
Title:
[MIR] gsasl
Status in gsasl package in Ubuntu:
Incomplete
Status in mutt package in Ubuntu:
New
Status in mutt package in Debian:
Fix Released
Bug description:
[Summary]
* Everything seems in order with this package, but it should
be reviewed by the security team due to the nature of the package.
* Build log: https://launchpadlibrarian.net/564514219/buildlog_ubuntu-jammy-amd64.gsasl_1.10.0-5_BUILDING.txt.gz
[Availability]
* The package is already available in Ubuntu universe and builds for the required architectures
[Rationale]
* mutt (which is in main) used to depend on cyrus-sasl. Due to a
licensing conflict between mutt and cyrus-sasl, it has been updated
to use gsasl and drop the dependency on cyrus-sasl. This change
has been made in Debian. Mutt is used by a large part of our
user base, so continuing to provide it is important.
[Security]
* Package gsasl and associated libraries do not have any
security red-flags, but should still be reviewed by
the security team due to the nature of the package (it
authenticates users to servers)
* No CVEs/security issues in this software in the past
* No `suid` or `sgid` binaries
* No executables in `/sbin` and `/usr/sbin`
* Package does not install services, timers or recurring jobs
* Package does not open privileged ports (ports < 1024)
[Quality assurance - function/usage]
* The package works well right after install
[Quality assurance - maintenance]
* The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
* The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
* The package runs a test suite on build time, if it fails
it makes the build fail
* The package runs an autopkgtest, and is currently passing
[Quality assurance - packaging]
* debian/watch is present and works
* debian/control defines a correct Maintainer field
* This package does not yield massive lintian Warnings, Errors
* Full output of `lintian --pedantic`:
```
P: gsasl source: update-debian-copyright 2014 vs 2021 [debian/copyright:44]
P: gsasl source: very-long-line-length-in-source-file configure line 13808 is 704 characters long (>512)
P: gsasl source: very-long-line-length-in-source-file examples/openid20/README line 92 is 807 characters long (>512)
P: gsasl source: very-long-line-length-in-source-file examples/saml20/README line 171 is 1396 characters long (>512)
P: gsasl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
```
* Lintian overrides are present, but ok because upstream does
not provide source-only tarballs
* This package has no python2 or GTK2 dependencies
* Packaging and build is easy. d/rules is concise and readable
[UI standards]
* Application is end-user facing, Translation is present, via gettext
[Dependencies]
* libgsasl-dev depends on a package from src:libntlm. MIR for
libntlm is here: https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1976405
[Standards compliance]
* This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
* Owning Team will be foundations
* Team is not yet, but will subscribe to the package before promotion
* This does not use static builds
* This does not use vendored code
* The package successfully built during the most recent test rebuild
[Background information]
* The Package description explains the package well
* Upstream Name is GNU SASL
* Upstream Link is https://www.gnu.org/software/gsasl/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gsasl/+bug/1972866/+subscriptions
More information about the foundations-bugs
mailing list