Review for Package: libde265 [Summary] MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This is a bit closer than usual, but since we have time you can work with upstream on those issues. This does need a security review, so I'll assign ubuntu-security. @security - please have a look at the past CVEs, it seemed to me some were handled slowly, many are still open is that a concern? List of specific binary packages to be promoted to main: libde265-0, libde265-dev Specific binary packages built, but NOT to be promoted to main: libde265-examples Required TODOs: #1 - Strictly speaking de256 has an encoding functionality, if there would be a chance could we use it for both and ignore x265 (or vice versa)? Could someone please engage with upstream if that is possible/feasible and either modify it to work that way or state and refer to the reasoning why it can't work well here? Also more common libs like ffmped/libavcodec do this, but they are not in main either :-/ #2 - this lacks build and autopkgtests, please add both to add some to make this properly covered and spot issues early on. #3 - upstream releases are fine, but sporadic. Please confirm that you are ok to cover work that might happen due to another downtime of year(s) and that you are confident and comfortable to own this package despite that. Recommended TODOs: #4 - Lintian warnings https://udd.debian.org/lintian/?packages=libde265 Could be worth a look to improve on them [Duplication] There seems to be no other package in main yet, but one has to wonder x265 AND de265 isn't that too much and duplicate at the current request level? But while I'd wish we could pick just one, it seems one is better at decoding and the other at encoding. From https://github.com/strukturag/libheif: "libheif makes use of libde265 for HEIF image decoding and x265 for encoding." de265 was added first, but the git history isn't mentioning in detail why x265 was added on top other than "for encoding". While I'd wish we could pick just one, it seems that isn't working well. I'll add a todo to at least try this and maybe disuss it upstream. => There is no other package in main providing the same functionality (kind of). [Dependencies] OK: - libheif will depend on libde265-0 which has no further dependencies outside of main -> no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion (libde265-dev has just libde265-0 as dependency) - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port/socket - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - does parse data formats (images) from untrusted sources And that has been an attack vector in the past. - history of CVEs does look concerning, there was just one CVE but it took ~2 years to close it and even then the references weren't updated. Furthermore there seem to be just "30 CVEs" fixed in the last version. Might be a coincidence, but that is much. And there seem to be 35 more open except in the most recent version according to https://security-tracker.debian.org/tracker/source-package/libde265 This could be just a red herring with one underlying cause responsible for all these issues, but I'd like security to have a look anyway, they will know better. I'd leave the rating of that to the security team, it needs their review anyway. [Common blockers] OK: - does not FTBFS currently - This does not need special HW for build or test - no new python2 dependency Problems: - does not have a test suite that runs at build time - does not have a non-trivial test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place it has a few wanrings but on explcitly optional symbols - d/watch is present and looks ok - Debian/Ubuntu update history is good (matches upstream, and there isn't much more one could do) - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - d/rules is rather clean - It is not on the lto-disabled list Problems: - Upstream update history is sporadic, there are spikes of 1-4 releases in a short time and then nothing for years (like nov 20 -> oct 22). That isn't super-bad but indicates that is isn't the most organized huge project with regular releases. - Lintian warnings https://udd.debian.org/lintian/?packages=libde265 Could be worth a look to improve on them [Upstream red flags] OK: - no Errors/warnings during the build (just a few deprecations) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid - use of setuid, but ok because TBD (prefer systemd to set those for services) - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks - no translation present, but none needed for this case (not user visible) Problems: - usage of allocations, there are a bunch of open "not reproducible" issues in regard to allocation, but also issues like https://github.com/strukturag/libde265/issues/330 Individually not super-bad, but together with the CVEs not too great either.