[Bug 1915009] Re: [MIR] libmd (dependency of libbsd)

Christian Ehrhardt  1915009 at bugs.launchpad.net
Thu Feb 18 15:25:52 UTC 2021 

Matt agreed to Foundations owning it and subscribed foundations.
Next is Ubuntu security which I assigned this to

** Changed in: libmd (Ubuntu)
     Assignee: Matthieu Clemenceau (mclemenceau) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libmd in Ubuntu.
https://bugs.launchpad.net/bugs/1915009

Title:
  [MIR] libmd (dependency of libbsd)

Status in libmd package in Ubuntu:
  New

Bug description:
  [Availability]
  libmd has been on Universe since Xenial and builds on all supported archs. Hirsute currently has 1.0.3-3.

  [Rationale]
  libbsb has a new dependency on libmd since 0.11.1-1 (0.10 or earlier didn't)
  - libbsd0 depends on libmd0
  - libbsd build-depends on libmd-dev

  [Security]
  - found no CVEs related to libmd on Mitre, Openwall, and Ubuntu CVE tracker (main, universe, and tracker).
  - no suid binaries on libmd0
  - package provides no service files
  - package does not require network (no open ports)

  [Quality assurance]
  - libmd0 1.0.3-3 depends only on libc6 (ie. no weird deps)
  - libmd 1.0.3-3 build depends only on debhelper-compat
  - no bug has ever been logged for libmd in both launchpad[1] and debian[2]
  - homepage lists no upstream bug tracker [3]
  - upstream maintainer is Guillem Jover
  - package ships with a testsuite
  - testsuite does not need network nor weird hardware
  - testsuite is run during build
  - has autopkgtests [4]
  - autopkgtest fails on i386 (not a blocker)
  - autopkgtest succeeded on amd64, ppc64el, s390x
  - package has a debian/watch file
  - 'lintian --pedantic' indicates no packaging issues

  [Dependencies]
  - libmd0 1.0.3-3 depends: libc6
  - libmd 1.0.3-3 build-depends: debhelper-compat

  [Standards compliance]
  Package meets Debian Policy 4.5.1 (latest as of 2021-02-09).
  Package meets FHS.

  [Maintenance]
  Package is small and well maintained in Debian by it's upstream main  developer (Guillem Jover).

  [Background information]
  Package description is correct and succint:
  'The libmd library provides various
   message digest ("hash") functions,
   as found on various BSDs on a
   library with the same name and with a
   compatible API.'

  [References]
  [1] https://bugs.launchpad.net/ubuntu/+source/libmd/+bugs?search=Search&field.status%3Alist=NEW&field.status%3Alist=OPINION&field.status%3Alist=INVALID&field.status%3Alist=WONTFIX&field.status%3Alist=EXPIRED&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=FIXRELEASED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&assignee_option=any&field.tags_combinator=ANY&field.status_upstream-empty-marker=1

  [2] https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=libmd
  [3] https://www.hadrons.org/software/libmd/
  [4] https://autopkgtest.ubuntu.com/packages/libmd

  [tdaitx 2021-02-09]
  I confirm that I checked the above requirements carefully.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libmd/+bug/1915009/+subscriptions

More information about the foundations-bugs mailing list