[Bug 2080872] Re: libgit2: replace unmaintained http-parser dependency with llhttp
Lukas Märdian
2080872 at bugs.launchpad.net
Tue Nov 19 10:45:31 UTC 2024
According to MIR rules, we need security team ACK to used embedded
llhttp:
"
[Embedded sources and static linking]
RULE: - Embedding a library source increases the maintenance burden of a package
RULE: since that source needs to be maintained separately from the source in
RULE: the Ubuntu archive. If a source embeds another package, in general the
RULE: embedded package should not be used and the packaging should be modified
RULE: to use the Ubuntu archive version. When this is not possible, the
RULE: security team must agree to using the embedded source.
"
I'd like to request the security team's approval on this, so we can
switch to the native llhttp vendored in libgit2. Considering the weird
situation of libllhttp being shipped as part of node-undicit, it might
be more reasonable to track libgit2 upstream, using the vendored
dependency. That is at least as long until the bug from comment #3 is
resolved (i.e. having an isolated libllhttp package in the archive).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgit2 in Ubuntu.
https://bugs.launchpad.net/bugs/2080872
Title:
libgit2: replace unmaintained http-parser dependency with llhttp
Status in libgit2 package in Ubuntu:
New
Status in node-undici package in Ubuntu:
New
Bug description:
http-parser has been deprecated [0] for llhttp [1] in libgit2.
http-parser is unmaintained. There is nobody writing security patches
for http-parser. It should be removed as a libgit2 dependency and then
removed from the main archive.
Note http-parser's MIR clause [2]:
Security team propose a conditional ACK for promoting http-parser to main
upon Foundations team's acknowledgment of their commitment in assisting with
the development of security fixes, in the absence of upstream support, as
well as their responsibility to ask for demoting the pacakge in the future
once a suitable alternative is identified and deemed feasible.
[0] https://github.com/libgit2/libgit2/issues/6074
[1] https://github.com/libgit2/libgit2/pull/6713
[2] https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/comments/14
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug/2080872/+subscriptions
More information about the foundations-bugs
mailing list