Main Inclusion Report for wv

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/w/wv; available for all supported architectures or some subset ? *All platforms*

2. Rationale:

   • Build dependency of abiword 2.6, see https://bugs.launchpad.net/ubuntu/+source/abiword/+bug/202174

   • Previous version (<2.6.0) releases of AbiWord included libwv in the source tarball - duplicated source. For 2.6 we now use the version of libwv installed as a shared library on the system. The library is still under the same maintainership (together with AbiWord by AbiSource/Dom Lachowicz).

3. Security:

   • CVE entries: 3, none since 2006. I recall these and remember they were handled professionally.

   • Secunia history: A variety of products, between which 1 vulnerability appears shared between Secunia and CVE. Again, nothing since 2006. There are a few ancient bugs (pre-1.0) in this report again. Don't be confused by "wv2" - Ubuntu has the nearly-most-recent release. (1.2.4 - 1.2.5 was released 31 march)

   • Any binaries running as root or suid/sgid ? Any daemons ? No to all - there are some optional binaries if you install the "wv" binary package that do conversions, but again, no root.

   • Network activity: does it open any port ? Does it handle incoming network data ? No, it is just a word file loading library.

   • Does it directly (not through a library) process binary (video, audio, etc) or structured (PDF, etc) data ? Yes, directly handles loading Word binary DOC files.

   • Any source code review performed ? (The approver will do a quick and shallow check.) Not quite sure what this question asks - yes, the source code has been reviewed, not sure if by Ubuntu, but by others. Library is included in basically every other Linux distro, too.

4. Quality assurance:

   • In what situations does the package not work out of the box without configuration ? None - the only user binaries are some simple apps to do convesions of Word to other formats. It is primarily a shared library used by AbiWord and other programs needing to load Word files.

   • Does the package ask any debconf questions higher than priority 'medium' ? No.

   • Debian bugs: No showstoppers - mainly just "wv doesn't load this file" or "the deprecated binary utilities that come with don't produce nice output" (which is why they are deprecated).

   • Maintenance in Debian is frenetic/vigorous/calm/dead ? Calm - to be expected given that there wasn't an upstream source release, due to lack of neccessity, in some time.

   • Upstream is frenetic/vigorous/calm/dead ? Calm to vigorous - the library is feature complete but is maintained alongside AbiWord, which is vigorously developed. Development mostly involves fixing behavior when in broken environments or with unusual documents.

   • Upstream bug tracker: few bugs, no showstoppers.

   • Hardware: Does this package deal with hardware and if so how exotic is it ? No interaction with hardware.

   • Is there a test suite in the upstream source or packaging ? Is it enabled to run in the build ? Not sure - there does not appear to be a test suite running in the build, but I think there is one included.

5. Standards compliance:

   • FHS, Debian Policy compliance ? Yes, although debian did write something rude (and unjustified) in the changelog once.

   • Debian library packaging guide standards compliance ? No known problems.

   • Packaging system (debhelper/cdbs/dbs) ? Patch system ? Any packaging oddities ? debhelper, looks very simple.

6. Dependencies:

   • debhelper (>= 5), dpatch, autotools-dev, libglib2.0-dev, libgsf-1-dev (>= 1.13.0), zlib1g-dev, libpng12-dev, libxml2-dev, libwmf-dev (>= 0.2.7-1)

   • Are these all in main ? Yes.

7. Background information:

   • The general purpose and context of the package should be clear from the package's debian/control file. If it isn't then please explain. Very straightforward - a library for loading Word files, with some example conversion apps that consume the library. For example, beagle depends on it to index Word files, etc.

   • What do upstream call this software ? Has it had different names in the past ? wv, used to be called mswordviewer and wvware. Now, only occasionally are the binaries executables called wvware, and most of the attention is on the libwv portion.

Reviewers

MIR bug: https://bugs.launchpad.net/ubuntu/+source/wv/+bug/215209

RyanPavlik2

MartinPitt: I would not like to approve that. We already have wv2 in main, so this duplicates functionality and two diffent APIs to read Word files. Can Abiword build against wv2, or maybe this can be disabled?

RyanPavlik2: wv2 is not newer than libwv-1.2. wv2 is an external rewrite that is no longer maintained, while Dom (the wv maintainer) kept improving and maintaining wv. It looks like only kword uses wv2, and I am not sure why they have not switched to the maintained library. Word import cannot be disabled.

RyanPavlik2: Interestingly enough, it looks like only kword (in its kde 3.5 and kde 4 incarnations) depend on wv2, and it seems as though it was a KDE fork from a long time ago. I am asking folks in the Abi and WV community for more details. By looking in the CVS archive of wv2, I can see that development essentially stopped four years ago - a build fix was committed three years ago, a CVE vuln fix was committed 22 months ago, but no actual apparent progress. http://wvware.cvs.sourceforge.net/wvware/wv2/

On the other hand, wv-1.2 just had a release featuring a bunch of fixes on the 31st of March, with steady development progress since the beginning of the project (stats should be possible to get through SVN, though I just browsed my SVN commit email). This should assure you of its maintenance and value as a part of the F/OSS ecosystem, an essential library for a popular word processor, and a library with a very different life than the confusingly-named wv2.

RyanPavlik2: I got an ambiguous OK on IRC 14-apr-2008 and so am posting this update as a bit of a "Ping" - I am putting into motion my efforts to get the current package reviewed and uploaded for AbiWord and so having a definitive answer here and in Launchpad for this dependency is reasonably time-critical.

MartinPitt: thanks for the explanations. I'm ok with re-promoting it to main then.