[Bug 2139408] Re: [MIR] sudo-common

Christian Ehrhardt 2139408 at bugs.launchpad.net
Wed Feb 11 15:38:03 UTC 2026 

Thanks,

./change-override --component main --suite resolute --source-and-binary sudo-common
Override component to main
sudo-common 1.2ubuntu in resolute: universe/utils -> main
sudo-common 1.2ubuntu in resolute amd64: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute amd64v3: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute arm64: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute armhf: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute i386: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute ppc64el: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute riscv64: universe/utils/optional/100% -> main
sudo-common 1.2ubuntu in resolute s390x: universe/utils/optional/100% -> main
Override [y|N]? y
9 publications overridden.

** Changed in: sudo-common (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo-common in Ubuntu.
Matching subscriptions: sudo-common-bugs
https://bugs.launchpad.net/bugs/2139408

Title:
  [MIR] sudo-common

Status in sudo-common package in Ubuntu:
  Fix Released

Bug description:
  [Availability]
  The package sudo-common is already in Ubuntu universe.
  The package sudo-common builds for the architectures it is designed to work on.
  It currently builds and works for architectures: All, binary file is not
  produced by package, only configuration files are installed.
  Link to package https://launchpad.net/ubuntu/+source/sudo-common

  [Rationale]
  The package sudo-common is required in Ubuntu main for sudo and sudo-rs.
  The package sudo-common will not generally be useful for a large part of
  our user base, but is important/helpful still because it removes the dependency
  on sudo for sudo-rs, as the plan is to move sudo to Ubuntu universe by 26.10.

  The configuration files are identical to what has been distributed in
  the previous sudo versions.

  Additionally new use-cases enabled by this include providing configuration
  defaults in its /usr/share/sudo-common path that are shared between sudo and
  sudo-rs, thereby allowing misconfigured files to be restored without needing
  internet access to download them from the sudo package itself.

  There is no other/better way to solve this that is already in main or
  should go universe->main instead of this, because the other
  approach of shipping default configuration files in sudo-rs instead means
  maintaining them in two places and increases the risk of out of sync
  misconfiguration.

  This is the first time package will be in main

  The binary package sudo-common needs to be in main since it is a dependency
  of sudo-rs version 0.2.10-1ubuntu2 and sudo version 1.9.17p2-1ubuntu2, that
  are in main already.

  The package sudo-common is required in Ubuntu main no later than the
  the day before feature freeze of 26.04 (February 16th, 2026)
  to solve the current component mismatches of sudo and sudo-rs.

  [Security]
  No CVEs/security issues in this software in the past as it is configuration
  files only and no code. Security issues arise only in context of the packages
  using it (sudo and sudo-rs). Note: this package has not existed prior,
  but it supplies default configuration files for the Ubuntu system meaning
  that misconfigurations would have the potential of leading to security issues
  in sudo/sudo-rs.

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Security has been kept in mind and common isolation/risk-mitigation
    patterns are in place utilizing the following features:
    * Package files exist only in /usr/share/sudo-common and
      /etc/* (configuration files only). /usr/share/sudo-common can be
      read by all users but only writable by root, and /etc/* is only readable
      and writable by root.
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/sudo-common/+bug
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  The package does not run any test at build time because it contains no
  executable code, only configuration files.

  RULE:   - The package should, but is not required to, also contain
  RULE:     non-trivial autopkgtest(s).
  The package runs autopkgtests, and is currently passing on
  this TBD list of architectures: all, (see https://bugs.launchpad.net/ubuntu/+source/sudo-common/+bug/2139408/+attachment/5943372/+files/log)

  The package does have not failing autopkgtests right now.

  [Quality assurance - packaging]
  A mechanism to detect and fetch new upstream versions is not present
  because it is a native package.

  debian/control defines a correct Maintainer field

  RULE: - It is often useful to run `lintian --pedantic` on the package to spot
  RULE:   the most common packaging issues in advance
  RULE: - Non-obvious or non-properly commented lintian overrides should be
  RULE:   explained
  This package does not yield massive lintian Warnings, Errors

  https://launchpadlibrarian.net/845124858/buildlog_ubuntu-resolute-
  amd64.sudo-common_1.1ubuntu_BUILDING.txt.gz

  lintian --pedantic generates no output (OK).

  Lintian overrides are not present.

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
    questions higher than medium

  - Packaging and build is easy, content of debian/rules:
  ```
  #!/usr/bin/make -f
  %:
   dh $@
  ```

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
   - Used check-mir from ubuntu-dev-tools to validate
     all dependencies or recommends are in main.

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be Foundations and I have their acknowledgment
    for that commitment.
  - The future owning team is not yet subscribed, but will subscribe to
    the package before promotion

  - This does not use static builds
  - This does not use vendored code

  - This package is not rust based

  - The package has been built within the last 3 months in the archive
  - Build link on launchpad:
    https://launchpad.net/ubuntu/+source/sudo-common/1.1ubuntu/+build/32198050
    Note: package is built on amd64 for "all" architectures as it contains only
    architecture independent configuration files.

  - This change will not impact other teams, unless something is significantly
    broken in which case Foundations team will take care of fixing it.

  [Background information]
  The Package description explains the package well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo-common/+bug/2139408/+subscriptions

More information about the foundations-bugs mailing list