libosso review:
- should not be a native package
- libosso-test is empty
- libosso-dev ships the same html files as -doc, they should be removed
- What is the motivation for the separate libosso-dbus-conf package? the description does not say much about the purpose, and none of the binaries ship any dbus service.
- the system bus policy currently says "allow all operations for all users on all backends", which is not acceptable for a package in main (since this opens a huge security hole if someone installs this on an Ubuntu desktop system).
- The session bus policy has the same problem, it allows all users to connect to all other user's session buses. That might not be a problem on mobile devices, but if they get multiuser support, or run some privilege separation (e. g. between browser and local apps), then this should be restricted sensibly, too.
libosso review:
- should not be a native package
- libosso-test is empty
- libosso-dev ships the same html files as -doc, they should be removed
- What is the motivation for the separate libosso-dbus-conf package? the description does not say much about the purpose, and none of the binaries ship any dbus service.
- the system bus policy currently says "allow all operations for all users on all backends", which is not acceptable for a package in main (since this opens a huge security hole if someone installs this on an Ubuntu desktop system).
- The session bus policy has the same problem, it allows all users to connect to all other user's session buses. That might not be a problem on mobile devices, but if they get multiuser support, or run some privilege separation (e. g. between browser and local apps), then this should be restricted sensibly, too.