[Bug 1972866] Re: [MIR] gsasl

William Wilson 1972866 at bugs.launchpad.net
Tue Jun 21 14:52:06 UTC 2022 

>From the NEWS file:

```
* Noteworthy changes in release 2.0.0 (2022-06-20) [stable]

** Compared to last stable branch 1.10.x the 2.0.0 release
** drops all obsolete APIs, drops the abandoned KERBEROS_V5 mechanism,
** stops shipping a separate tarball for only the library, adds new APIs
** gsasl_mechanism_name_p() and gsasl_property_free().
Numerous other translation improvements, code cleanups, bug fixes,
documentation additions, build improvements and portability
enhancements were made as well.
```

None of these are inherently problematic, and dropping obsolete APIs
could even help with the security review. The package still builds
without warning (the return value of asprintf is checked), the
dh_override_auto_install has been removed, and the testing is
sufficient.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mutt in Ubuntu.
https://bugs.launchpad.net/bugs/1972866

Title:
  [MIR] gsasl

Status in gsasl package in Ubuntu:
  Incomplete
Status in mutt package in Ubuntu:
  New
Status in mutt package in Debian:
  Fix Released

Bug description:
  [Summary]
  * Everything seems in order with this package, but it should
  be reviewed by the security team due to the nature of the package.
  * Build log: https://launchpadlibrarian.net/564514219/buildlog_ubuntu-jammy-amd64.gsasl_1.10.0-5_BUILDING.txt.gz

  [Availability]
  * The package is already available in Ubuntu universe and builds for the required architectures

  [Rationale]
  * mutt (which is in main) used to depend on cyrus-sasl. Due to a
  licensing conflict between mutt and cyrus-sasl, it has been updated
  to use gsasl and drop the dependency on cyrus-sasl. This change
  has been made in Debian. Mutt is used by a large part of our
  user base, so continuing to provide it is important.

  [Security]
  * Package gsasl and associated libraries do not have any
  security red-flags, but should still be reviewed by
  the security team due to the nature of the package (it
  authenticates users to servers)
  * No CVEs/security issues in this software in the past
  * No `suid` or `sgid` binaries
  * No executables in `/sbin` and `/usr/sbin`
  * Package does not install services, timers or recurring jobs
  * Package does not open privileged ports (ports < 1024)

  [Quality assurance - function/usage]
  * The package works well right after install

  [Quality assurance - maintenance]
  * The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  * The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  * The package runs a test suite on build time, if it fails
  it makes the build fail
  * The package runs an autopkgtest, and is currently passing

  [Quality assurance - packaging]
  * debian/watch is present and works
  * debian/control defines a correct Maintainer field
  * This package does not yield massive lintian Warnings, Errors
  * Full output of `lintian --pedantic`:
  ```
  P: gsasl source: update-debian-copyright 2014 vs 2021 [debian/copyright:44]
  P: gsasl source: very-long-line-length-in-source-file configure line 13808 is 704 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/openid20/README line 92 is 807 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file examples/saml20/README line 171 is 1396 characters long (>512)
  P: gsasl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
  ```
  * Lintian overrides are present, but ok because upstream does
  not provide source-only tarballs
  * This package has no python2 or GTK2 dependencies
  * Packaging and build is easy. d/rules is concise and readable

  [UI standards]
  * Application is end-user facing, Translation is present, via gettext

  [Dependencies]
  * libgsasl-dev depends on a package from src:libntlm. MIR for
  libntlm is here: https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1976405

  [Standards compliance]
  * This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  * Owning Team will be foundations
  * Team is not yet, but will subscribe to the package before promotion
  * This does not use static builds
  * This does not use vendored code
  * The package successfully built during the most recent test rebuild

  [Background information]
  * The Package description explains the package well
  * Upstream Name is GNU SASL
  * Upstream Link is https://www.gnu.org/software/gsasl/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gsasl/+bug/1972866/+subscriptions

More information about the foundations-bugs mailing list