[Bug 1972866] Re: [MIR] gsasl

Fri Jun 17 12:14:45 UTC 2022

Hi.  Upstream talking here.  Thanks for review!  Much appreciated with
external eyes on a package.  Some comments:

1) Debian autopkgtest is not light, the debian/tests/libgsasl actually
runs all of the upstream test suite except for GS2/GSSAPI (which require
more infrastructure to test) including CRAM-MD5, DIGEST-MD5, SCRAM and
several other internal APIs.  It may be easy to overlook it when reading
debian/tests/libgsasl though.

2) I've fixed the useless override_dh_auto_install:
https://salsa.debian.org/xmpp-team/gsasl/-/commit/98b21e56ea6e9d7234459769d3a71997659e5ac4

3) I've fixed the asprintf issue:
https://git.savannah.gnu.org/gitweb/?p=gsasl.git;a=commit;h=fd0ff175cd45f55a32e2352cab0de99c0f7c7898

4) I've added the gsasl-scram-pbkdf2 self-test to autopkgtest now too (it was implicitly tested through SCRAM self-tests, but doesn't hurt having in autopkgtest too):
https://salsa.debian.org/xmpp-team/gsasl/-/commit/de8b713fb4e9ebfa64438f177ff900aa18bc2dd9

Btw, the library is in transition in Debian now to the upcoming new
stable 2.x.x branch (minimal changes, just dropping obsolete APIs) and
we ran into some issues with the libgsasl7->gsasl-common dependency, but
it probably isn't relevant to Ubuntu.  If anyone has suggestions on
better handling, I'm all ears: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=1012768

Thanks,
Simon

** Bug watch added: Debian Bug tracker #1012768
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012768

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mutt in Ubuntu.
https://bugs.launchpad.net/bugs/1972866

Title:
  [MIR] gsasl

Status in gsasl package in Ubuntu:
  Incomplete
Status in mutt package in Ubuntu:
  New
Status in mutt package in Debian:
  Fix Released

Bug description:
  [Summary]
  * Everything seems in order with this package, but it should
  be reviewed by the security team due to the nature of the package.
  * Build log: https://launchpadlibrarian.net/564514219/buildlog_ubuntu-jammy-amd64.gsasl_1.10.0-5_BUILDING.txt.gz

  [Availability]
  * The package is already available in Ubuntu universe and builds for the required architectures

  [Rationale]
  * mutt (which is in main) used to depend on cyrus-sasl. Due to a
  licensing conflict between mutt and cyrus-sasl, it has been updated
  to use gsasl and drop the dependency on cyrus-sasl. This change
  has been made in Debian. Mutt is used by a large part of our
  user base, so continuing to provide it is important.

  [Security]
  * Package gsasl and associated libraries do not have any
  security red-flags, but should still be reviewed by
  the security team due to the nature of the package (it
  authenticates users to servers)
  * No CVEs/security issues in this software in the past
  * No `suid` or `sgid` binaries
  * No executables in `/sbin` and `/usr/sbin`
  * Package does not install services, timers or recurring jobs
  * Package does not open privileged ports (ports < 1024)

  [Quality assurance - function/usage]
  * The package works well right after install

  [Quality assurance - maintenance]
  * The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  * The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  * The package runs a test suite on build time, if it fails
  it makes the build fail
  * The package runs an autopkgtest, and is currently passing

  [Quality assurance - packaging]
  * debian/watch is present and works
  * debian/control defines a correct Maintainer field
  * This package does not yield massive lintian Warnings, Errors
  * Full output of `lintian --pedantic`:
  ```
  P: gsasl source: update-debian-copyright 2014 vs 2021 [debian/copyright:44]
  P: gsasl source: very-long-line-length-in-source-file configure line 13808 is 704 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/openid20/README line 92 is 807 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/saml20/README line 171 is 1396 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
  ```
  * Lintian overrides are present, but ok because upstream does
  not provide source-only tarballs
  * This package has no python2 or GTK2 dependencies
  * Packaging and build is easy. d/rules is concise and readable

  [UI standards]
  * Application is end-user facing, Translation is present, via gettext

  [Dependencies]
  * libgsasl-dev depends on a package from src:libntlm. MIR for
  libntlm is here: https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1976405

  [Standards compliance]
  * This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  * Owning Team will be foundations
  * Team is not yet, but will subscribe to the package before promotion
  * This does not use static builds
  * This does not use vendored code
  * The package successfully built during the most recent test rebuild

  [Background information]
  * The Package description explains the package well
  * Upstream Name is GNU SASL
  * Upstream Link is https://www.gnu.org/software/gsasl/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gsasl/+bug/1972866/+subscriptions