Review for Source Package: papers
[Summary]
MIR team ACK under the soft constraint (I only found recommends) to
as far possible having a look at the recommended TODOs.
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main:
papers libppsdocument-4.0-5 libppsview-4.0-4 papers-common
There are libpapers-dev and libpapers-doc that are autopromoted then
but even they seem safe.
Specific binary packages built, but NOT to be promoted to main:
gir1.2-papers-4.0
It could be promoted, but I see no dependency yet.
Notes:
Required TODOs:
- none
Recommended TODOs:
#1 - not strictly needed as all the generated lists seem fine, but you
have massive diff for vendoring anyway, how about dropping the
librust-* build depdencies for one more step of certainty what it
is built of?
#2 - The package should get a team bug subscriber before being promoted
#3 - AFAIK you can create pdf protected PDFs [1], are those not official enough
for the test plan?
[1]:
https://askubuntu.com/questions/938015/how-do-i-password-protect-a-pdf-document
[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality, except
evince which is what the Team tries to hereby replace.
And in fact it is the evolution of evince starting with a fork from it.
A team is committed to own long term maintenance of this package =>
Desktop team
The rationale given in the report seems valid, it is just as valid as the one
for evince so far and counts for one or the other.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
It has lots of dependencies, but the only ones not in main are internal
to src:papers
- -dev/-debug/-doc packages are present but seem safe
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- embedded source present and static linking => rust
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- Rust package that has all dependencies vendored. It does neither
have *Built-Using (after build). Nor does the build log indicate
built-in sources that are missed to be reported as Built-Using.
- rust package using dh_cargo (via build-dependency)
- Includes vendored code, the package has documented how to refresh this
code at debian/README.source
Problems: None
[Security]
OK:
- history of CVEs does not look concerning, but had quite some as it
is a common attack vector
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features via apparmor (thanks!) continuing what we had in evince
Problems:
- does parse data formats: PDFs from potentially untrusted sources
- might process arbitrary web content (viewer kciking in for downloads)
[Common blockers]
OK:
- does not FTBFS currently
- does have a trivial test suite that runs as autopkgtest
- we usually ask for non-trivial here but it is good to have something and
the rest via a well defined test plan
- This does seem to need special HW (just a real GUI actually) for build or
test so it can't be automatic at build or autopkgtest time. But as outlined
by the requester in [Quality assurance - testing] there:
- is hardware and a test plan or code
- no new python2 dependency
Problems:
- does not have a test suite that runs at build time
But it has some autopkgtest and the team defined a reasonable test plan
for this application (thanks).
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking is in place.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is (good/slow/sporadic)
- Debian/Ubuntu update history is (good/slow/sporadic)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it, and this get
better since the fork from evince and changing some to rust)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of setuid / setgid (a lot of references, but no usage AFAICS)
- no important open bugs (crashers, etc) in Debian or Ubuntu
There are many reported upstream, but none stand out more than on evince
which is going to be replaced hereby
- no dependency on webkit, qtwebkit or libseed
- part of the UI, desktop file is ok (there are two)
- translation present (po files)
Problems:
- use of user nobody, but AFAICS only in self-tests of the vendored dependencies
in debian/missing-sources/nix/test/test_unistd.rs
** Changed in: papers (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2097727
Title:
[MIR] papers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/papers/+bug/2097727/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
