MIRTeam
Introduction
The Ubuntu MIR Team reviews packages for promotion from universe to main. See MainInclusionProcess for information on how to request an MIR.
Reviewing
The primary decision a reviewer is making is "Will this package be well maintained in main?" The following guidelines are just ways to help you answer to that question.
Duplication
One easy way to avoid the burden of maintaining the package is to not use it in the first place! If a package is pulling in some random jpeg parsing library that needs a MIR, maybe it makes more sense to patch the package to just use libjpeg instead. Keep an eye out for duplicated functionality in main, since that makes bug fixing and security reviewing that much harder.
Security
Determine if the package may have security implications (has a history of CVEs, runs a daemon as root, uses webkit1, uses libqt*v8 directly, parses data formats, opens a port, processes arbitrary web content, uses centralized online accounts, integrates arbitrary javascript into the desktop, deals with system authentication (eg, pam), etc). Err on the side of caution.
If the package is security sensitive, you have two options. You can either review as much as you can and then assign to the ubuntu-security team. Or you can immediately re-assign to a member of the MIR Team that is also on the Security Team (there is usually at least one).
While qt5webkit is in main, it is temporary
Common blockers
- Does it FTBFS currently?
- Does it have a test suite? Make sure it's being run and will fail the build upon error.
- Does it have a team bug subscriber?
- If it's a Python package, does it use dh_python?
- If it's a Python package going on the desktop CD, will it pull in Python 2?
Packaging red flags
- Does Ubuntu carry a delta?
- If it's a library, does it either have a symbols file or use an empty argument to dh_makeshlibs -V? (pass such a patch on to Debian, but don't block on it)
- Does it have a watch file?
- Is its update history slow or sporadic?
- Is the current release packaged?
- Will entering main make it harder for the people currently keeping it up to date? (i.e. are they only MOTUs?)
- Lintian warnings
- Is debian/rules a mess? Ideally it uses dh7 and overrides to make it as tiny as possible.
Upstream red flags
- Errors/warnings during the build
- Incautious use of malloc/sprintf
- Uses of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- Important bugs (crashers, etc) in Debian or Ubuntu
- Dependency on webkit, qtwebkit, seed or libgoa-*
If this is a scope for the Unity Dash, does it honor the privacy settings?
Tools
check-mir can be run from a checked out source and tell you which dependencies are in universe.
seeded-in-ubuntu PACKAGE can tell you whether and how a given PACKAGE is seeded
reverse-depends can tell you reverse source or binary depends, per component
