[Bug 2003568] Re: [MIR] markdown-it-py

Mark Esler 2003568 at bugs.launchpad.net
Wed Feb 22 07:32:12 UTC 2023 

If possible, please promote v2.2.0 to main which fixes CVE-2023-26302
and CVE-2023-26303. A Security Policy was also added in this release.

Huge thanks to @chrisjsewell at github.com for their speedy response!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to markdown-it-py in Ubuntu.
https://bugs.launchpad.net/bugs/2003568

Title:
  [MIR] markdown-it-py

Status in markdown-it-py package in Ubuntu:
  In Progress

Bug description:
  [Availability]
  The package markdown-it-py is already in Ubuntu universe.
  The package markdown-it-py build for the architectures it is designed to work on.
  It currently builds and works for architetcures: all
  Link to package https://launchpad.net/ubuntu/+source/markdown-it-py

  [Rationale]
  - The package markdown-it-py is required in Ubuntu main as it will be used by netplan.io (it's a dependency of src:rich, which is a dependency of netplan.io), which is already in main.
  - The package markdown-it-py will generally be useful for a large part of our user base
  - The package markdown-it-py is a new runtime dependency of package netplan.io (through src:rich) that we already support
  - The package python3-rich itself not yet depends on markdown-it-py but upstream just migrated to it and rich will depend on it when the maintainer update the package.

  - The package markdown-it-py is required in Ubuntu main no later than
  Feb 23 due to feature freeze.

  [Security]
  - Had 0 security issues in the past
  - No CVEs/security issues in this software in the past

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=markdown-it-py

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpadlibrarian.net/632298609/buildlog_ubuntu-lunar-amd64.markdown-it-py_2.1.0-4_BUILDING.txt.gz

  - The package runs an autopkgtest, and is currently passing on all but
  i386 architectures, link to test logs
  https://autopkgtest.ubuntu.com/packages/markdown-it-py

  - The package does have not failing autopkgtests right now

  [Quality assurance - packaging]
  - debian/watch is present and works

  - debian/control defines a correct Maintainer field

  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package https://launchpadlibrarian.net/632298609/buildlog_ubuntu-lunar-amd64.markdown-it-py_2.1.0-4_BUILDING.txt.gz

  
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
  questions higher than medium

  - Packaging and build is easy, link to d/rules
  https://git.launchpad.net/ubuntu/+source/markdown-it-
  py/tree/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - There are further dependencies that are not yet in main, MIR for them is at:
  python-typing-extensions: https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821
  mdurl: https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - Team is not yet, but will subscribe to the package before promotion

  - This does not use static builds

  - This does not use vendored code

  - This package is not rust based

  - The package successfully built during the most recent test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is markdown-it-py
  Link to upstream project https://github.com/executablebooks/markdown-it-py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug/2003568/+subscriptions

More information about the foundations-bugs mailing list