Main Inclusion Report for libmx4j-java

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/libm/libmx4j-java; available for all supported architectures

2. Rationale:

   • dependency of java-gcj-compat (>= 1.0.69), to be uploaded for feisty

3. Security:

   • CVE entries: None

   • Secunia history: None

   • Java library package, no binary
   • Quick and shallow source code review performed.

4. Quality assurance:

   • Library package works out of the box, no debconf questions

   • Debian bugs:

   • Maintenance in Debian is active

5. Standards compliance:

   • FHS, Debian Policy compliat

   • Use cdbs packaging system (debhelper/cdbs/dbs), simple-patchsys

6. Dependencies:

   • Dependencies all in main, except axis, wsdl4j, libcommons-discovery-java

Reviewers

Ian Jackson writes:

• I have reviewed this package and it appears to be a system for allowing remote management of Java programs. It is not clear to me from the report what the security mechanisms are. How do Java programs use this library ? How does access control work ? These are what the template is getting at when it talks about network activity.

• I did a search for relevant vulnerabilities and found a bug in `James', a Java program which uses mx4j for management. It wasn't entirely clear to me that this was mx4j's fault, but neither is it clear to me that it wasn't. The proponent should have found this problem and reported it in the MIR.

• It is not clear to me why java-gcj-compat Depends on this library but then I'm not very familiar with Java.

• The MIR should mention that mx4j was previously known as openjmx. I have added an explicit item about this in the MainInclusionReviewTemplate.

If the above questions can be addressed satisfactorily then there won't be a problem but for now I'm afraid the request is Rejected pending rework.

• -iwj 28.2.2007