[Bug 2002818] Re: [MIR] mdurl

Thu Feb 16 00:20:48 UTC 2023

I reviewed mdurl 0.1.1-2 as checked into kinetic.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

> URL utilities for markdown-it (a Python port)

- CVE History:
  - none
- Build-Depends?
  - lunar main
     - debhelper-compat (debhelper)
     - python3-all (python3-defaults)
  - lunar universe
    - dh-python
    - flit
    - pybuild-plugin-pyproject
    - python3-pytest (dh-python)
- pre/post inst/rm scripts?
  - yes, standard prerm and postinst generated by dh-python
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - runs build tests
  - not all decode tests have been implemented
    - https://github.com/executablebooks/mdurl/issues/2
  - recent lunar autopkgtests failing
- cron jobs?
  - none
- Build logs:
  - nothing significant

- Processes spawned?
  - none
- Memory management?
  - standard python
- File IO?
  - none
- Logging?
  - none
- Environment variable usage?
  - none
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

Security team ACK for promoting mdurl to main, after Foundations is
satisfied with autopkgtests.

** Bug watch added: github.com/executablebooks/mdurl/issues #2
   https://github.com/executablebooks/mdurl/issues/2

** Changed in: mdurl (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: mdurl (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mdurl in Ubuntu.
https://bugs.launchpad.net/bugs/2002818

Title:
  [MIR] mdurl

Status in mdurl package in Ubuntu:
  In Progress

Bug description:
  [Availability]
  The package mdurl is already in Ubuntu universe.
  The package mdurl build for the architectures it is designed to work on.
  It currently builds and works for architetcures: all
  Link to package https://launchpad.net/ubuntu/+source/mdurl

  [Rationale]
  - The package mdurl is required in Ubuntu main as it will be used by netplan.io (as a dependency of markdown-it-py, which will be a dependency of netplan.io and will also need an MIR), which is already in main. Netplan has a new command (netplan status) that uses python3-rich (which is migrating from commonmark to markdown-it-py and will also need an MIR)
  - The package mdurl will generally be useful for a large part of our user base
  - The package mdurl is a new runtime dependency of package netplan.io (indirectly) that we already support

  - The package mdurl is required in Ubuntu main no later than Feb 23
  due to feature freeze

  [Security]
  - Had 0 security issues in the past
  - No CVEs/security issues in this software in the past

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdurl

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpadlibrarian.net/632299113/buildlog_ubuntu-lunar-amd64.mdurl_0.1.2-1_BUILDING.txt.gz

  - The package runs an autopkgtest, and is currently passing on all but
  i386 architectures, link to test logs
  https://autopkgtest.ubuntu.com/packages/mdurl

  - The package does have not failing autopkgtests right now

  [Quality assurance - packaging]
  - debian/watch is present and works

  - debian/control defines a correct Maintainer field

  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package https://launchpadlibrarian.net/632299113/buildlog_ubuntu-lunar-amd64.mdurl_0.1.2-1_BUILDING.txt.gz
  - Lintian overrides are not present

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
  questions higher than medium

  - Packaging and build is easy, link to d/rules
  https://git.launchpad.net/ubuntu/+source/mdurl/tree/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - Owning Team will be Foundations
  - Team is not yet, but will subscribe to the package before promotion

  - This does not use static builds

  - This does not use vendored code

  - This package is not rust based

  - The package successfully built during the most recent test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is mdurl
  Link to upstream project https://github.com/executablebooks/mdurl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818/+subscriptions