[Bug 1977959] Re: [MIR] libisoburn, libburn, libisofs
Didier Roche
1977959 at bugs.launchpad.net
Tue Jun 21 05:02:50 UTC 2022
[Summary]
MIR review for libisoburn
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: xorriso, libisoburn1, libisoburn-dev, libisoburn-doc
Notes:
Required TODOs:
- In addition of this MIR for the 3 packages, ensure that jigit MIR is also acked (https://bugs.launchpad.net/ubuntu/+source/jigit/+bug/1978066).
- Symbol tracking is not in place for libisoburn. Please add some tracking for the libisoburn symbols.
Recommended TODOs:
- There are quite a lot of warning during build (see section), I think some of them are valid and should be fixed. Mind looking at them? (Warnings are always asking for more warnings and could be overlooked)
- The package should get a team bug subscriber before being promoted
[Duplication]
libisoburn/libisofs/libburn will replace genisoimage usage in main.
[Dependencies]
OK:
- no other Dependencies to MIR due to this than the ones listed in description and jigit which is in another MIR (https://bugs.launchpad.net/ubuntu/+source/jigit/+bug/1978066)
- libisoburn checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now.
Problems:
- ensure that jigit MIR is acked (https://bugs.launchpad.net/ubuntu/+source/jigit/+bug/1978066)
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have the releng non-trivial test suite that runs as autopkgtest
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is slow (but acceptable for this kind of project due to the history)
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list
Problems:
- symbol tracking is not in place for libisoburn and only rely on shlibs. Any reason to not have a real symbol tracking?
[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests) as long as xorriso-dd-target is excluded.
- no use of user nobody
- use of setuid possible, but ok because xorriso does not by default.
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems:
- There are a bunch of warnings during builds. Some of them sounds fixable and it’s probably the right time to look at them.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to usb-creator in Ubuntu.
https://bugs.launchpad.net/bugs/1977959
Title:
[MIR] libisoburn, libburn, libisofs
Status in libburn package in Ubuntu:
Incomplete
Status in libisoburn package in Ubuntu:
Incomplete
Status in libisofs package in Ubuntu:
Incomplete
Status in usb-creator package in Ubuntu:
New
Bug description:
[Availability]
The packages libisoburn, libburn, libisofs are already in Ubuntu universe.
The packages libisoburn, libburn, libisofs build for the architectures they are designed to work on.
They currently build and work for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to packages:
[[https://launchpad.net/ubuntu/+source/libisoburn]]
[[https://launchpad.net/ubuntu/+source/libburn]]
[[https://launchpad.net/ubuntu/+source/libisofs]]
[Rationale]
- The package libisoburn is required in Ubuntu main for usb-creator, and libburn and libisofs are dependencies of libisoburn.
- The package libisoburn will generally be useful for a large part of
our user base as usb-creator is seeded
- Package libisoburn covers the same use case as genisoimage, but is better
because contrary to genisoimage, it is actively maintained upstream, upstream engages with launchpad issues and
we have been using xorriso for years now instead of genisoimage in the official Ubuntu image pipeline,
thereby we want to replace it.
- The package libisoburn is a new runtime dependency of package usb-creator that
we already support
- It would be great and useful to community/processes to have the
package libisoburn in Ubuntu main, but there is no definitive deadline.
[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
[Quality assurance - function/usage]
- The packages work well right after install
[Quality assurance - maintenance]
- The packages are maintained well in Debian/Ubuntu and have not any
long term critical bugs open
libisoburn:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libisoburn/+bug
=> only 1 bug from 2021 on Focal image on ppc64el which received lots of answers
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libisoburn
=> only 4 wishlist items
libburn:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libburn/+bug
=> 0 bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libburn
=> 0 bug
libisofs:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libisofs/+bug
=> 0 bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libisofs
=> 0 bug
- The packages do not deal with exotic hardware we cannot support
[Quality assurance - testing]
libisoburn:
- The package runs *one very simple test* at build time, if it fails it makes the build fail, link to build log (https://launchpadlibrarian.net/564560287/buildlog_ubuntu-jammy-amd64.libisoburn_1.5.4-2_BUILDING.txt.gz).
- The package does not run an autopkgtest because the official test suite was not enabled.
- The package can be tested by enabling the "releng" testsuite that is present in the package that we will enable before the promotion: https://launchpad.net/~alexghiti/+archive/ubuntu/riscv/+sourcepub/13673188/+listing-archive-extra
libburn:
- The package does not run a test at build time because it relies on "releng" testsuite enabled in libisoburn.
- The package does not run an autopkgtest because it relies on "releng" testsuite enabled in libisoburn.
- The package will take advantage of the enablement of "releng" testsuite in libisoburn.
libisofs:
- The package does not run a test at build time because it relies on "releng" testsuite enabled in libisoburn.
- The package does not run an autopkgtest because it relies on "releng" testsuite enabled in libisoburn.
- The package will take advantage of the enablement of "releng" testsuite in libisoburn.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Those packages do not yield massive lintian Warnings, Errors:
libisoburn:
- Please link to a recent build log of the package https://launchpadlibrarian.net/564560287/buildlog_ubuntu-jammy-amd64.libisoburn_1.5.4-2_BUILDING.txt.gz
P: libisoburn source: maintainer-manual-page debian/local/libisoburn.3
P: libisoburn source: package-uses-old-debhelper-compat-version 12
P: libisoburn source: silent-on-rules-requiring-root [debian/control]
P: libisoburn source: trailing-whitespace debian/control (line 154)
- Lintian overrides are present
(https://salsa.debian.org/optical-media-
team/libisoburn/-/blob/master/debian/libisoburn1.lintian-overrides),
but ok because there are only 2 spelling overrides (spelling-error-in-
binary) that are kept for compatibility with frontends.
libburn:
- Please link to a recent build log of the package https://launchpadlibrarian.net/564542502/buildlog_ubuntu-jammy-amd64.libburn_1.5.4-1_BUILDING.txt.gz
P: libburn source: package-uses-old-debhelper-compat-version 12
P: libburn source: silent-on-rules-requiring-root [debian/control]
- Lintian overrides are present
(https://salsa.debian.org/optical-media-
team/libburn/-/blob/master/debian/libburn4.lintian-overrides), but ok
it is a exit-in-shared-library which is only an info.
libisofs:
- Please link to a recent build log of the package https://launchpadlibrarian.net/564542190/buildlog_ubuntu-jammy-amd64.libisofs_1.5.4-1_BUILDING.txt.gz
W: libisofs source: superfluous-file-pattern libtool.m4 [debian/copyright:143]
W: libisofs source: superfluous-file-pattern ltoptions.m4 [debian/copyright:147]
W: libisofs source: superfluous-file-pattern ltsugar.m4 [debian/copyright:17]
W: libisofs source: superfluous-file-pattern ltversion.m4 [debian/copyright:17]
W: libisofs source: superfluous-file-pattern lt~obsolete.m4 [debian/copyright:17]
P: libisofs source: package-uses-old-debhelper-compat-version 12
P: libisofs source: silent-on-rules-requiring-root [debian/control]
=> the warnings only link to entries in debian/copyright that
point to non-existing files in the package.
- Lintian overrides are not present
- Those packages do not rely on obsolete or about to be demoted packages.
- Those packages have no python2 or GTK2 dependencies
- Those packages will be installed by default, but do not ask debconf
questions higher than medium
- Packaging and build is easy, link to d/rules
libisoburn: https://salsa.debian.org/optical-media-team/libisoburn/-/blob/master/debian/rules
libburn: https://salsa.debian.org/optical-media-team/libburn/-/blob/master/debian/rules
libisofs: https://salsa.debian.org/optical-media-team/libisofs/-/blob/master/debian/rules
[UI standards]
- libisofs and libburn packages produce a binary package whose application is end-user facing and translation is not present.
- End-user applications without desktop file, not needed because those are very niche applications that most users won't ever use.
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them is at jigit (TODO)
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here since libburn and libisofs are part of the same upstream project.
[Standards compliance]
- Those packages correctly follow FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations
- Team is not yet, but will subscribe to the packages before promotion
- They do not use static builds
- They do not use vendored code
- The packages successfully built during the most recent test rebuild
libisoburn: https://launchpad.net/ubuntu/+archive/test-rebuild-20220317-jammy/+packages?field.name_filter=libisoburn&field.status_filter=published&field.series_filter=
libburn: https://launchpad.net/ubuntu/+archive/test-rebuild-20220317-jammy/+packages?field.name_filter=libburn&field.status_filter=published&field.series_filter=
libburn: https://launchpad.net/ubuntu/+archive/test-rebuild-20220317-jammy/+packages?field.name_filter=libisofs&field.status_filter=published&field.series_filter=
[Background information]
The Package descriptions explain the packages well
Upstream Name is libisoburn, libburn and libisofs respectively
Link to upstream project https://dev.lovelyhq.com/libburnia/web/wiki
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libburn/+bug/1977959/+subscriptions
More information about the foundations-bugs
mailing list