[Bug 1977959] Re: [MIR] libisoburn, libburn, libisofs
Didier Roche
1977959 at bugs.launchpad.net
Tue Jun 21 05:03:06 UTC 2022
[Summary]
MIR review for libisofs
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: libisofs-dev, libisofs-doc, libisofs6
Notes:
Required TODOs:
- Symbol tracking is not in place for libisofs. Please add some tracking for the libburn symbols.
Recommended TODOs:
- This package have more lintian issues than others (and not only pendatic ones). As previously, warnings are always asking for more warnings IMHO and those are really easy to fix (files in debian/copyright that are not present). Can we clean them?
- The package should get a team bug subscriber before being promoted
[Duplication]
libisoburn/libisofs/libburn will replace genisoimage usage in main.
[Dependencies]
OK:
- no other Dependencies to MIR due to this.
- libburn checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now.
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
[Common blockers]
OK:
- does not FTBFS currently
- does rely on libisoburn releng non-trivial test suite that runs as autopkgtest for both build test and package test.
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- d/watch is present and looks ok
- Upstream update history is slow (but acceptable for this kind of project due to the history)
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- d/rules is rather clean
- It is not on the lto-disabled list
Problems:
- Several lintian warnings that ought to be simple to fix. I think we should have a lintian-clean package (excluding pedantic) at least.
- symbol tracking is not in place for libburn and only rely on shlibs. Any reason to not have a real symbol tracking?
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests).
- no use of user nobody
- use of setuid possible, but ok because in cdrskin which we don’t consider and not by default.
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but not needed.
** Changed in: libburn (Ubuntu)
Assignee: Didier Roche (didrocks) => (unassigned)
** Changed in: libisoburn (Ubuntu)
Assignee: Didier Roche (didrocks) => (unassigned)
** Changed in: libisofs (Ubuntu)
Assignee: Didier Roche (didrocks) => (unassigned)
** Changed in: libburn (Ubuntu)
Status: Confirmed => Incomplete
** Changed in: libisofs (Ubuntu)
Status: Confirmed => Incomplete
** Changed in: libisoburn (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to usb-creator in Ubuntu.
https://bugs.launchpad.net/bugs/1977959
Title:
[MIR] libisoburn, libburn, libisofs
Status in libburn package in Ubuntu:
Incomplete
Status in libisoburn package in Ubuntu:
Incomplete
Status in libisofs package in Ubuntu:
Incomplete
Status in usb-creator package in Ubuntu:
New
Bug description:
[Availability]
The packages libisoburn, libburn, libisofs are already in Ubuntu universe.
The packages libisoburn, libburn, libisofs build for the architectures they are designed to work on.
They currently build and work for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to packages:
[[https://launchpad.net/ubuntu/+source/libisoburn]]
[[https://launchpad.net/ubuntu/+source/libburn]]
[[https://launchpad.net/ubuntu/+source/libisofs]]
[Rationale]
- The package libisoburn is required in Ubuntu main for usb-creator, and libburn and libisofs are dependencies of libisoburn.
- The package libisoburn will generally be useful for a large part of
our user base as usb-creator is seeded
- Package libisoburn covers the same use case as genisoimage, but is better
because contrary to genisoimage, it is actively maintained upstream, upstream engages with launchpad issues and
we have been using xorriso for years now instead of genisoimage in the official Ubuntu image pipeline,
thereby we want to replace it.
- The package libisoburn is a new runtime dependency of package usb-creator that
we already support
- It would be great and useful to community/processes to have the
package libisoburn in Ubuntu main, but there is no definitive deadline.
[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
[Quality assurance - function/usage]
- The packages work well right after install
[Quality assurance - maintenance]
- The packages are maintained well in Debian/Ubuntu and have not any
long term critical bugs open
libisoburn:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libisoburn/+bug
=> only 1 bug from 2021 on Focal image on ppc64el which received lots of answers
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libisoburn
=> only 4 wishlist items
libburn:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libburn/+bug
=> 0 bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libburn
=> 0 bug
libisofs:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libisofs/+bug
=> 0 bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libisofs
=> 0 bug
- The packages do not deal with exotic hardware we cannot support
[Quality assurance - testing]
libisoburn:
- The package runs *one very simple test* at build time, if it fails it makes the build fail, link to build log (https://launchpadlibrarian.net/564560287/buildlog_ubuntu-jammy-amd64.libisoburn_1.5.4-2_BUILDING.txt.gz).
- The package does not run an autopkgtest because the official test suite was not enabled.
- The package can be tested by enabling the "releng" testsuite that is present in the package that we will enable before the promotion: https://launchpad.net/~alexghiti/+archive/ubuntu/riscv/+sourcepub/13673188/+listing-archive-extra
libburn:
- The package does not run a test at build time because it relies on "releng" testsuite enabled in libisoburn.
- The package does not run an autopkgtest because it relies on "releng" testsuite enabled in libisoburn.
- The package will take advantage of the enablement of "releng" testsuite in libisoburn.
libisofs:
- The package does not run a test at build time because it relies on "releng" testsuite enabled in libisoburn.
- The package does not run an autopkgtest because it relies on "releng" testsuite enabled in libisoburn.
- The package will take advantage of the enablement of "releng" testsuite in libisoburn.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Those packages do not yield massive lintian Warnings, Errors:
libisoburn:
- Please link to a recent build log of the package https://launchpadlibrarian.net/564560287/buildlog_ubuntu-jammy-amd64.libisoburn_1.5.4-2_BUILDING.txt.gz
P: libisoburn source: maintainer-manual-page debian/local/libisoburn.3
P: libisoburn source: package-uses-old-debhelper-compat-version 12
P: libisoburn source: silent-on-rules-requiring-root [debian/control]
P: libisoburn source: trailing-whitespace debian/control (line 154)
- Lintian overrides are present
(https://salsa.debian.org/optical-media-
team/libisoburn/-/blob/master/debian/libisoburn1.lintian-overrides),
but ok because there are only 2 spelling overrides (spelling-error-in-
binary) that are kept for compatibility with frontends.
libburn:
- Please link to a recent build log of the package https://launchpadlibrarian.net/564542502/buildlog_ubuntu-jammy-amd64.libburn_1.5.4-1_BUILDING.txt.gz
P: libburn source: package-uses-old-debhelper-compat-version 12
P: libburn source: silent-on-rules-requiring-root [debian/control]
- Lintian overrides are present
(https://salsa.debian.org/optical-media-
team/libburn/-/blob/master/debian/libburn4.lintian-overrides), but ok
it is a exit-in-shared-library which is only an info.
libisofs:
- Please link to a recent build log of the package https://launchpadlibrarian.net/564542190/buildlog_ubuntu-jammy-amd64.libisofs_1.5.4-1_BUILDING.txt.gz
W: libisofs source: superfluous-file-pattern libtool.m4 [debian/copyright:143]
W: libisofs source: superfluous-file-pattern ltoptions.m4 [debian/copyright:147]
W: libisofs source: superfluous-file-pattern ltsugar.m4 [debian/copyright:17]
W: libisofs source: superfluous-file-pattern ltversion.m4 [debian/copyright:17]
W: libisofs source: superfluous-file-pattern lt~obsolete.m4 [debian/copyright:17]
P: libisofs source: package-uses-old-debhelper-compat-version 12
P: libisofs source: silent-on-rules-requiring-root [debian/control]
=> the warnings only link to entries in debian/copyright that
point to non-existing files in the package.
- Lintian overrides are not present
- Those packages do not rely on obsolete or about to be demoted packages.
- Those packages have no python2 or GTK2 dependencies
- Those packages will be installed by default, but do not ask debconf
questions higher than medium
- Packaging and build is easy, link to d/rules
libisoburn: https://salsa.debian.org/optical-media-team/libisoburn/-/blob/master/debian/rules
libburn: https://salsa.debian.org/optical-media-team/libburn/-/blob/master/debian/rules
libisofs: https://salsa.debian.org/optical-media-team/libisofs/-/blob/master/debian/rules
[UI standards]
- libisofs and libburn packages produce a binary package whose application is end-user facing and translation is not present.
- End-user applications without desktop file, not needed because those are very niche applications that most users won't ever use.
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them is at jigit (TODO)
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here since libburn and libisofs are part of the same upstream project.
[Standards compliance]
- Those packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations
- Team is not yet, but will subscribe to the packages before promotion
- They do not use static builds
- They do not use vendored code
- The packages successfully built during the most recent test rebuild
libisoburn: https://launchpad.net/ubuntu/+archive/test-rebuild-20220317-jammy/+packages?field.name_filter=libisoburn&field.status_filter=published&field.series_filter=
libburn: https://launchpad.net/ubuntu/+archive/test-rebuild-20220317-jammy/+packages?field.name_filter=libburn&field.status_filter=published&field.series_filter=
libburn: https://launchpad.net/ubuntu/+archive/test-rebuild-20220317-jammy/+packages?field.name_filter=libisofs&field.status_filter=published&field.series_filter=
[Background information]
The Package descriptions explain the packages well
Upstream Name is libisoburn, libburn and libisofs respectively
Link to upstream project https://dev.lovelyhq.com/libburnia/web/wiki
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libburn/+bug/1977959/+subscriptions
More information about the foundations-bugs
mailing list