MainInclusionReportPinentry

Main Inclusion Report for pinentry

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/p/pinentry/ - available for all supported architectures

  2. Rationale:

    • Pinetry-qt (or one of the other pinentry binaries in pinentry-x11, but pinentry-qt is most suitable for Kubuntu) is needed to meet the goal in the https://wiki.kubuntu.org/KubuntuGutsyPlan specification for Gutsy to support S/MIME signing and verification by default in kmail/kontact.

    • Once approved, pinentry-qt will be added as a dependency for kmail. Currently, only the pinentry-qt binary is required in main.

  3. Security:

    • CVE entries: There are only two for distribution specific issues in other distros.

    • Secunia history: The only issue listed is one of the CVEs mentioned above.

    • No binaries running as root or suid/sgid. No daemons.
    • Network activity: Does not open any port. Does not handle incoming network data.
    • No source code review performed, but pinentry is widely used and has been very stable for quite some time.

  4. Quality assurance:

    • In what situations does the package not work out of the box without configuration ? None known
    • Does the package ask any debconf questions higher than priority 'medium' ? No

    • Debian bugs: No show stoppers. pinentry-gtk appears to have one significant bug, but it's never been reported in Ubuntu. No recent bug reports at all.

    • Maintenance in Debian is very quiet (but no obvious need for activity except updating to the latest standards version).

    • http://www.gnupg.org/aegypten/ is very calm. No recent pinentry releases (Project is complete), but other gnupg work continues.

    • Upstream bug tracker has no unresolved pinentry issues.

    • Hardware: This package does not deal with hardware.

  5. Standards compliance:

    • FHS, Debian Policy compliance ? Yes although it's still compat 4/Standards version 3.6.2.1. It appears that it could be bumped to compat 5 with no changes other than dependency versioning.

    • Debian library packaging guide standards compliance ? No libraries installed.

    • Packaging system (debhelper/cdbs/dbs) ? cdbs Patch system ? None Any packaging oddities ? No

  6. Dependencies:

    • Build dependencies are debhelper (>= 4.1.0), cdbs (>= 0.4.0), m4, libncurses5-dev, libgtk1.2-dev, libglib1.2-dev, and libqt3-mt-dev.

    • All are in main.
    • Dependencies are just ${shlibs:Depends}, ${misc:Depends} and these do not generate anything that is not in main.
    • Since Ubuntu has not built the package since Dapper, I test built it in a current Gutsy pbuilder and it built with no issues.

  7. Background information:

    • The general purpose and context of the package is clear from the package's debian/control file.
    • What do upstream call this software ? pinentry Has it had different names in the past ? No.

Reviewers

MartinPitt: this needs some upstream love to work with gtk 2 and qt 4. I will not accept new packages into main which need glib/gtk 1.2, since we are working on getting rid of it. Please either make the package use gtk 2.0 or disable the gtk module for now (bad alternative, but possible). Same argument for Qt, though, if upstream is dead, then sooner or later we have to make it use Qt4.

ScottKitterman: The gtk2 package is already present. I am preparing an ubuntu1 update that will remove the gtk1 package. I will contact upstream and whine about Qt4 support.

Request for pinentry-qt4 is submitted.

New pinentry package uploaded that removes pinentry-gtk.

MartinPitt: approved now, thank you

MainInclusionReportPinentry (last edited 2008-08-06 16:27:13 by localhost)