[NEW description DRAFT- WIP: updated the 11 packages that need to be promoted only (yes), revamping the other sections (wip)]
Please promote libmail-dmarc-perl and its universe dependencies (recursively) to main. According to `check-mir` (+ recursive searching) this would need ~44 packages to be promoted (as runtime binary dependencies, see original description if needed).
However, libmail-dmarc-perl is only used by the spamassassin package, and spamassasin only uses the validation feaure of DMARC, so we can narrow the necessary binaries dependencies to be promoted too. Those packages are the following ones (11):
* libemail-mime-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880
- libemail-messageid-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-messageid-perl/+bug/2030956
- libemail-mime-contenttype-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-contenttype-perl/+bug/2030962
+ libtext-unidecode-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libtext-unidecode-perl/+bug/2031109
- libemail-mime-encodings-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-encodings-perl/+bug/2031487
- libemail-simple-perl: universe
MIR bug: https://bugs.launchpad.net/ubuntu/+source/libemail-simple-perl/+bug/2031491
* libfile-sharedir-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libfile-sharedir-perl/+bug/2039566
+ libclass-inspector-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libclass-inspector-perl/+bug/2039569
* libnet-idn-encode-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libnet-idn-encode-perl/+bug/2038929
* libnet-ip-perl: universe
https://bugs.launchpad.net/ubuntu/+source/libnet-ip-perl/+bug/2039456
* libregexp-common-perl: universe
MIR bug https://bugs.launchpad.net/ubuntu/+source/libregexp-common-perl/+bug/2039563
The rest would be moved to Suggested dependencies.
[Availability]
The package libmail-dmarc-perl and all of its dependencies already exist in Ubuntu universe, and all build ok for the target architectures.
[Rationale]
tldr; DMARC support in SpamAssassin is important for stronger spam filtering.
Spam email is an ever-present and ever-evolving presence in our online lives, and SpamAssassin is a key tool for end users and service providers to identify likely spam for filtering. SpamAssassin 4.0, introduced in Ubuntu "lunar" 22.10, introduced a number of major new features including three new plugins, the most significant of which is the DMARC policy checker.
DMARC (or "Domain-based Message Authentication, Reporting & Conformance") is a new convention for email service providers to communicate to email recipient programs about how to handle authentication failures. It builds on prior protocols (namely, SPF and DKIM) to address their limitations. Essentially, DMARC protects against direct domain spoofing, such that when an email purports to be from a given domain (say, @gmail.com or @irs.gov) but fails proper authentication using the authentication methods published by that domain, it tells the email receiver whether to reject the email as spam, quarantine it for evaluation, or something else. DMARC also establishes a way for the email receiver to give feedback back to the sender about emails that failed to pass this check.
libmail-dmarc-perl contains the official Perl implementation of DMARC support. SpamAssassin is the primary user of this package
❯ apt-cache rdepends libmail-dmarc-perl
libmail-dmarc-perl
Reverse Depends:
spamassassin
and requires it in order to perform this DMARC evaluation: Spamassasin dmarc plugin [1] only uses the MAIL::DMARC::PurePerl module [2] and, inside it, the validate function in particular [3]. However, is true that it also could use the save_aggregate function if the dmarc_save_reports variable is set through mail-dmarc.ini to 1 (defaults is 0 [4], and also in the ini file [5]). That function will need the Mail::DMARC::Report::Store module and the Mail::DMARC::Report::URI module.
libmail-dmarc-perl is a relatively new source package that was proposed for lunar but deleted on 2023-05-01 due to build/autopkgtest issues and later re-introduced to mantic once those issues were resolved, on 2023-06-13.
[1] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm)
[2] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n242)
[3] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n322)
[4] (https://git.launchpad.net/ubuntu/+source/spamassassin/tree/lib/Mail/SpamAssassin/Plugin/DMARC.pm#n111)
[5] (https://git.launchpad.net/ubuntu/+source/libmail-dmarc-perl/tree/share/mail-dmarc.ini#n21)
[Security]
"libmail-dmarc-perl" turns up zero CVE or other records in mitre.org, openwall, ubuntu.com/security, or security-tracker.debian.org. Broadening the search to "spamassassin dmarc" shows only a single issue within the past few years, CVE-2022-3620, which appears to be more of an issue in exim4 specifically, and has been deemed not relevant to the exim4 package shipped in Ubuntu (See https://ubuntu.com/security/CVE-2022-3620).
I've not individually checked the specific perl modules involved here, but from a detailed review of the package histories I did not spot any security activity. Presumably this indicates that the level of security support for the lot is going to be quite low or negligible. Given that many of these modules are core Perl components, I would expect they receive adequate security attention from their upstream maintainers, and given the low rate of change of the packages the security risk from them is low.
In general Perl libraries do not install executables to /sbin or /usr/sbin, and by definition do not install services, do not open privileged ports, or modify security-sensitive software. Again, I've not individually checked each module to verify, but such situations would seem exceptional.
[Quality assurance - function/usage]
I've verified libmail-dmarc-perl installs with its required installation dependencies.
I've verified in a mantic LXC container that its required build dependencies get installed, and both debuild -S and debuild pass without error.
I've run libmail-dmarc-perl's autopkgtest locally in LXC, verified it invokes the upstream testsuite, and all test cases pass without issue.
I've not verified the build/autopkgtest of all the component dependency perl modules, however Perl modules tend to receive ample attention via proposed-migration's update-excuses page, and presently none of the perl modules in this MIR are listed as having issues.
Integration with spamassassin has been tested by co-installing it, updating the configuration, running sa-compile, and checking for errors. Behavioral performance was checked by running:
$ spamassassin --debug < /home/bryce/pkg/Spamassassin/spam.mbox
I unfortunately was not able to verify a successful DMARC processing of emails, however the presence of the module and enabling configuration statements did not cause any errors or failures.
[Quality assurance - maintenance]
I've checked each Perl module's package history. Most have been around for many, many years and most have zero bugs in Ubuntu, others have a small number that have been closed, and a few have a small number of open bugs but none that appear concerning. I only spot checked bug reports upstream and in Debian, but bug activity there was similarly light. I didn't spot any open bugs that looked important or worth highlighting; see below for the per-package bug analysis.
[Quality assurance - testing]
I ran libmail-dmarc-perl's autopkgtest, which invokes the upstream testsuite. No errors were produced by this. I did not review or run autopkgtests for libmail-dmarc-perl's dependencies however I did verify none are listed on mantic's update-excuses page for proposed-migration so there are at least no known issues.
Nearly all these perl modules have been around for many years, so their testing status and behavior is well established.
[Quality assurance - packaging]
Debian covers the packaging needs adequately for these packages. Most of these packages receive upstream releases only infrequently, and Debian seems to be on top of keeping them up to date. An in-depth study of watch files, lintian, etc. was not performed but is not expected to be noteworthy, regardless of state.
All packages were verified as not relying on obsolete or demoted packages; see the per-package analysis below for detailed discussion.
[UI Standards]
Application is not end-user facing (does not need translation)
[Dependencies]
Unfortunately, since it's a new package, libmail-dmarc-perl resides in universe. Since spamassassin lives in main, this creates a component mismatch. Compounding the issue, libmail-dmarc-perl itself depends on other source packages that also are only available via universe.
The MIR process (https://github.com/canonical/ubuntu-mir) indicates that Build dependencies can be in universe, so we'll focus just on the binary dependencies (the build dependencies get rather involved.)
[Standards Compliance]
These packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
libmail-dmarc-perl and its dependencies are maintained by the Debian project, and acceptably maintained by them and the Perl project upstream. In Ubuntu, these packages will be added to the ubuntu-server team's list once this MIR is accepted, if they're not covered already by other teams (the Foundations team has covered maintenance at points in the past).
This package does not use vendered code, is not rust-based, and does not have build issues currently identified.
Actually, this shouldn't be tasks nowadays. Individual bugs would be better.
Since they are so similar all the meta-discussion can happen here.
And a link farm to reach the others is useful, see how Lucas has done pcs.
So the others can - for now - be shallow forks for tooling to work well.