[Bug 2093868] Re: [MIR] nlohmann-json3

Wed Mar 19 02:54:24 UTC 2025

Override component to main
nlohmann-json3 3.11.3-2 in plucky: universe/misc -> main
nlohmann-json3-dev 3.11.3-2 in plucky amd64: universe/libdevel/optional/100% -> main
nlohmann-json3-dev 3.11.3-2 in plucky arm64: universe/libdevel/optional/100% -> main
nlohmann-json3-dev 3.11.3-2 in plucky armhf: universe/libdevel/optional/100% -> main
nlohmann-json3-dev 3.11.3-2 in plucky i386: universe/libdevel/optional/100% -> main
nlohmann-json3-dev 3.11.3-2 in plucky ppc64el: universe/libdevel/optional/100% -> main
nlohmann-json3-dev 3.11.3-2 in plucky riscv64: universe/libdevel/optional/100% -> main
nlohmann-json3-dev 3.11.3-2 in plucky s390x: universe/libdevel/optional/100% -> main
Override [y|N]? y
8 publications overridden.

** Changed in: nlohmann-json3 (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nlohmann-json3 in Ubuntu.
https://bugs.launchpad.net/bugs/2093868

Title:
  [MIR] nlohmann-json3

Status in nlohmann-json3 package in Ubuntu:
  Fix Released

Bug description:
  [Availability]
  The package nlohmann-json3 is already in Ubuntu universe
  The package nlohmann-json3 build for the architectures it is designed to work on.
  It currently builds and works for architectures: all
  Link to package https://launchpad.net/ubuntu/+source/all

  [Rationale]
  - The package nlohmann-json3 is required in Ubuntu main as it is a
    runtime dependency for libpisp, which is required in main as it is
    a new runtime dependency for libcamera (LP: #2093321)
  - The package nlohmann-json3 will generally be useful for a large part of
    our user base as it is a popular C++ JSON library
  - The package nlohmann-json3 is required in Ubuntu main no later than plucky
    release, as this is a runtime dependency of libpisp which is blocking
    migration for libcamera and camera support for the Raspberry Pi is a high
    priority on the plucky roadmap.

  [Security]
  - I found the following entries in the MITRE DB:
    - https://www.cve.org/CVERecord?id=CVE-2024-38525
    - https://www.cve.org/CVERecord?id=CVE-2024-34363
  - These are not CVEs within nlohmann-json, but in other products whose cause was a crash
    due to an uncaught exception in nlohmann-json3
  - There is another entry in Snyk: https://security.snyk.io/vuln/SNYK-UNMANAGED-NLOHMANNJSON-6387367
    But this is an older nlohmann-json, and not nlohmann-json3
  - Unfortunately, here is a list of CVEs https://github.com/nlohmann/json/issues?q=is%3Aissue+CVE+updated%3A2024-07-15
    which are present in v3.11.3 but resolved in their develop branch
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Package does expose an external endpoint (Port 8443), it is used to serve the json.hpp
    file over HTTPS, for services like online compilers and compiler explorer

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained in GitHub
    - https://github.com/nlohmann/json/issues
  - Any bugs reported after the last release (Nov 2023) have not been resolved
    in v3.11.3 (whether they show up as open or closed on GitHub). This includes
    some CVEs mentioned above.
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does not run a test at build time
  - The package runs an autopkgtest: https://autopkgtest.ubuntu.com/packages/nlohmann-json3
  - The package does have not failing autopkgtests right now

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - Recent buildlog:
    https://launchpadlibrarian.net/703347075/buildlog_ubuntu-noble-amd64.nlohmann-json3_3.11.3-1_BUILDING.txt.gz
  - $ lintian --pedantic
    E: nlohmann-json3 changes: bad-distribution-in-changes-file unstable
    W: nlohmann-json3-dev: debian-changelog-line-too-long [usr/share/doc/nlohmann-json3-dev/changelog.Debian.gz:4]
    W: nlohmann-json3 source: superfluous-file-pattern tools/cpplint/* [debian/copyright:31]
    W: nlohmann-json3 source: upstream-metadata-field-unknown Homepage [debian/upstream/metadata]
    Need to assign the distribution (and then subsequently change the maintainer) and some janitorial
    cleanup
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
    questions higher than medium
  - Packaging and build is easy, link to debian/rules TBD

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further runtime dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team would be my team (Ubuntu Foundations - Architectures)
  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based
  - The package has been built within the last 3 months in PPA
  - Build link on launchpad: https://launchpadlibrarian.net/770251630/buildlog_ubuntu-plucky-amd64.nlohmann-json3_3.11.3-1_BUILDING.txt.gz

  [Background information]
  - The Package description explains the package well
  - Upstream Name is nlohmann-json3
  - Link to upstream project https://github.com/nlohmann/json
  - This package is a runtime dependency for libpisp which is an MIR candidate
    https://bugs.launchpad.net/ubuntu/+source/libpisp/+bug/2093321

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nlohmann-json3/+bug/2093868/+subscriptions