[Bug 1884003] Re: [MIR] libjcat

Christian Ehrhardt  1884003 at bugs.launchpad.net
Wed Aug 12 12:01:06 UTC 2020 

This is MIR Team and security team Acked, Foundations is the bug subscriber and it shows up in component mismatches (only for proposed atm).
Never the less this is ready for promotion - setting the state to Committed per [1]

[1]:
https://wiki.ubuntu.com/MainInclusionProcess?action=show&redirect=MIRTeam#Process_states

** Changed in: libjcat (Ubuntu)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libjcat in Ubuntu.
https://bugs.launchpad.net/bugs/1884003

Title:
  [MIR] libjcat

Status in libjcat package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  Available in Ubuntu universe for Focal and Groovy.
  Synced from Debian unstable.

  [Rationale]
  fwupd 1.4.x and later have removed GPG and PKCS7 functionality in favor of the functionality being provided by the library "libjcat".  This library adds additional features and a new file format that can encaspulate content and signatures together.

  Right now Ubuntu is limited in advancing to the 1.4.x or 1.5.x
  releases until libjcat is available in main.

  [Security]
  The recently released CVE-2020-10759 affected libjcat.
  No other CVE's have been released.

  [Quality assurance]
  * No configuration necessary.
  * No debconf questions
  * No long outstanding bugs
  * No bugs open in Debian or Ubuntu.
  * Upstream only has feature request bugs.
  * Test suite is part of packaging
  * Doesn't rely upon demoted packages

  [Dependencies]
  All dependencies for the library package are in main.

  [Standards compliance]
  Adheres to major Debian standards.

  [Maintenance]
  Maintained by debian-efi team in Debian.
  Propose to be maintained by foundations team in Ubuntu.
  In general, plan to sync from Debian however.

  [Background information]
  Fwupd 1.4.0 split out the GPG/PKCS7 handling to this separate library to support a change in how the client would interact with the LVFS backend.  This change fixes race conditions that clients can encounter when metadata and detached signatures are momentarily out of sync on LVFS CDN during the signing process.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libjcat/+bug/1884003/+subscriptions

More information about the foundations-bugs mailing list