[Bug 1827442] Re: [MIR] libheif
Christian Ehrhardt
1827442 at bugs.launchpad.net
Fri Apr 19 05:49:10 UTC 2024
Thanks for the updates Lukas
Ok, so the stack around libheif seems to complete just in time.
To summarize the situation:
- MIR-wise all the dependencies are good to go now (libheif 1827442, libde265 2004449, aom 2004442, libyuv 2004516, libwebm 2004523)
- The related FFE (2061090) was granted
- The upload to pull it in happened [1]
- We are in freeze, but it was accepted by bdmurray 6h ago
- It built on all arches, per excuses only the mismatches hold it back
- We see it in component mismatches [2]
Slight twist here (libyuv 2004516, libwebm 2004523) are not needed atm.
They were considered transitive dependencies and as part of the MIR the embedded code was stripped and uses the system libs instead. See "0002-use-system-libyuv.patch" and "0003-use-system-libwebm.patch" [4].
But due to that we now have proper dependency tracking and it turns out that this is only needed for aom-tools which isn't depended on - the usage of libaom3 from heif is not requiring those two.
We could promote it, but if you want that you'd need to seed aom-tools
in one of the -supported seeds I guess.
Therefore it all seems in place including the release team moving it
forward despite the freeze which implies this should move (in these days
we do not want to unintentionally affect the RC) and can thereby be
promoted.
[1]: https://launchpad.net/ubuntu/+source/gnome-control-center/1:46.0.1-1ubuntu6
[2]: https://ubuntu-archive-team.ubuntu.com/component-mismatches-proposed.svg
[3]: https://launchpadlibrarian.net/722275883/buildlog_ubuntu-noble-amd64.aom_3.8.2-2build1_BUILDING.txt.gz
[4]: https://launchpadlibrarian.net/722275883/buildlog_ubuntu-noble-amd64.aom_3.8.2-2build1_BUILDING.txt.gz
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libheif in Ubuntu.
https://bugs.launchpad.net/bugs/1827442
Title:
[MIR] libheif
Status in aom package in Ubuntu:
Invalid
Status in dav1d package in Ubuntu:
Invalid
Status in libde265 package in Ubuntu:
Invalid
Status in libheif package in Ubuntu:
Fix Committed
Status in x265 package in Ubuntu:
Invalid
Bug description:
[Availablity]
The package libheif is already in ubuntu/universe.
The package libheif build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package: https://launchpad.net/ubuntu/+source/libheif
[Rationale]
- The package libheif is required in Ubuntu main for decoding
ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
- The package libheif will not generally be useful for a large part of our user
base, but is important/helpful still because no other package in main supports
decoding of ISO/IEC 23008-12:2017 HEIF files.
- The package libheif is a runtime dependency of package libgd2 that we already
support.
- It would be great and useful to community/processes to have the package
libheif in Ubuntu main, but there is no definitive deadline.
[Security]
- libheif had 4 security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
The github issue: https://github.com/strukturag/libheif/issues/207 is open,
though developer comments that it was fixed in 1.7.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
Fixed in 1.5.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
Fixed in 1.5.0.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
Fixed in 1.5.0.
The vulnerable versions are libheif < 1.7.0, current version 1.14.2
Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
bionic. Jammy and up has no known vulnerabilitites.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides HEIF image plugin which processes untrusted input
[Quality assurance – function/usage]
- The package does not work well right after install. There is a bug filed in
debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using viewnoir.
- Basic test cases pass:
apt install imagemagick
wget https://filesamples.com/samples/image/heif/sample1.heif
convert -verbose sample1.heif test.gif
wget https://filesamples.com/samples/image/heic/sample1.heic
convert -verbose sample1.heic test1.gif
Notice, that libgd2 HEIF support is disabled.
- Compiling a sample that tries to save HEIF file produces following output
"GD Warning: HEIF image support has been disabled"
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
- The package has important open bugs, listing them:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
Confirm CVE-2020-23109 fix
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
1.14.2 contains significant regression, HEIC can not be read using
viewnoir package [confirmed in lunar].
Downgrading to 1.13.0-1 solves the issue.
- The package does not deal with exotic hardware we cannot support
[Quality assurance – testing]
- The package does not run a test at build time because no unit tests are
present in the repository upstream:
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
https://github.com/strukturag/libheif
- The package does not run an autopkgtest because no autopackage tests are
present.
Note: upstream contains a CI script that can be adapted for autopkgtests:
https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh
This section is not complete, as the test plan/approach for developing
autopkgtests needs to be discussed.
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
[Quality assurance - packaging]
- debian/watch is present and works BUT also get-orig-head target is present
in debian/rules that produces a different result.
There is no specific documentation on which method to use.
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
https://udd.debian.org/lintian/?packages=libheif
- Please link to a recent build log of the package
https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
extra post to this bug.
- Lintian overrides are not present
- This package relies on obsolete or about to be demoted packages
see https://udd.debian.org/lintian/?packages=libheif, consider using
libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because application
does not provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- aom: LP: #2004442
- dav1d: LP: #2004446
- libde265: LP: #2004449
- x265: LP: #2004453
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations team
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is libheif
Link to upstream project https://github.com/strukturag/libheif/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions
More information about the foundations-bugs
mailing list