On Fri, Feb 11, 2022 at 11:35:07AM -0300, Andreas Hasenack wrote:
> Hi, I have a question for the MIR (Main Inclusion Request) team members,
> New version of nfs-utils upstream (src:nfs-utils in main) pulled[1] in
> code (regex.c file) from another upstream project[2], for which we
> have a package in universe: src:libnfsidmap-regex
> Would this require another MIR review? I mean, in general, once a
> package is in main, we don't apply the MIR guidelines to it anymore,
> and they can usually change the code as the project sees fit.
> It just so happens this time we have this exact scenario where the
> code that was pulled already exists and is the sole purpose of
> another, universe, package.
> My options are basically:
> a) have src:nfs-utils build bin:libnfsidmap-regex and remove
> src:libnfsidmap-regex from the archive
> b) build src:nfs-utils without producing bin:libnfsidmap-regex, and
> keep building src:libnfsidmap-regex from universe as usual
> Option (b) will incurr in delta with debian. I believe[3] Debian will
> eventually remove/obsolete src:libnfsidmap-regex
> 1. http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=940caffdfb9953a2ccfecec81664e4a179753461
> 2. https://github.com/isginf/libnfsidmap-regex
> 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925022#20
I think you should submit it for an additional MIR review if and only if
there is reason to consider the new library security-sensitive. (If it's a
library that will be used by one of the NFS daemons, that's a good reason to
think it's security-sensitive.)
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
