[Bug 2004523] Re: [MIR] libwebm (transitive dependency of libheif)[libheif -> aom -> libwebm]

Christian Ehrhardt  2004523 at bugs.launchpad.net
Fri Apr 19 05:49:33 UTC 2024


Slight change here - this isn't needed for libaom3.

Due to the good use of non-embedded libs we now have correct dependency tracking.
That shows that only aom-tools would needed it, which isn't pulled in from libheif.

We could promote it, but if you want that you'd need to seed aom-tools
(if it is serving a good purpose) in one of the -supported seeds I
guess.

A bit more detail in
https://bugs.launchpad.net/ubuntu/+source/libheif/+bug/1827442/comments/55

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libwebm in Ubuntu.
https://bugs.launchpad.net/bugs/2004523

Title:
  [MIR] libwebm (transitive dependency of libheif)[libheif -> aom ->
  libwebm]

Status in libwebm package in Ubuntu:
  Fix Committed
Status in libwebm package in Debian:
  Fix Released

Bug description:
  [Availability]

  - The package libwebm is already in Ubuntu universe.
  - The package libwebm does not build for the architectures
    it is designed to work on.
  - It currently builds and works for architectures:
    amd64 arm64 armhf i386 ppc64el riscv64
    It currently fails build unit tests for: s390x
    https://launchpadlibrarian.net/635116394/buildlog_ubuntu-lunar-s390x.libwebm_1.0.0.29-1_BUILDING.txt.gz

    Link to package https://launchpad.net/ubuntu/+source/libwebm/

  
  [Rationale]

  - The package libwebm will not generally be useful for a large part of
    our user base, but is important/helpful still because it is vendored
    in aom package that we intend to support as a dependency of libheif.
  - It would be great and useful to community/processes to have the
    package libwebm in Ubuntu main, but there is no definitive deadline.

  [Security]

  - Had 6 security issues in the past
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9746
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6548
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6406
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19212
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2464
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1621
    No CVEs open against current version (1.0.0.29-1).
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does contain extensions to security-sensitive software:
    the package provides WebM parser which processes untrusted input

  [Quality assurance - function/usage]

  - The package works well right after install

  [Quality assurance - maintenance]

  - The package is maintained well in Debian/Ubuntu and has not too many
    and long term critical bugs open
      - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libwebm/+bug
      - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libwebm

  [Quality assurance - testing]

  - The package runs a test suite on build time, if it fails
    it makes the build fail, link to build log
    https://launchpadlibrarian.net/635116394/buildlog_ubuntu-lunar-s390x.libwebm_1.0.0.29-1_BUILDING.txt.gz

  - The package does not run an autopkgtest because it is not
  implemented

  [Quality assurance - packaging]

  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package
      https://launchpadlibrarian.net/635115306/buildlog_ubuntu-lunar-amd64.libwebm_1.0.0.29-1_BUILDING.txt.gz
  - Please attach the full output you have got from
    `lintian --pedantic` as an extra post to this bug.
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will not be installed by default

  - Packaging and build is easy, link to d/rules:
    https://git.launchpad.net/ubuntu/+source/libwebm/tree/debian/rules
    Note: currently rules list individual test suites to run. Finding them
    by a file name suffix will reduce maintenance effort.

  [UI standards]

  - Application is not end-user facing (does not need translation)
  - End-user applications without desktop file, not needed because it does not
    provide GUI

  [Dependencies]

  - No further depends or recommends dependencies that are not yet in main
    Note: build time dependencies on libgmock-dev and libgtest-dev are present.

  [Standards compliance]

  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]

  - Owning Team will be Foundations Team
  - Team is not yet, but will subscribe to the package before promotion

  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based
  - The package failed built during the most recent test rebuild:
    https://launchpadlibrarian.net/644058422/buildlog_ubuntu-lunar-s390x.libwebm_1.0.0.29-1_BUILDING.txt.gz

  [Background information]

  The Package description explains the package well
  Upstream Name is libwebm
  Link to upstream project https://chromium.googlesource.com/webm/libwebm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libwebm/+bug/2004523/+subscriptions




More information about the foundations-bugs mailing list