[Bug 2089690] Re: [MIR] rust-sequoia-sqv

Simon Johnsson 2089690 at bugs.launchpad.net
Tue Mar 17 16:06:59 UTC 2026 

@paelzer Awesome, thanks Christian! I short-circuited a bit and assigned
myself as I most recently updated the MIR report.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/2089690

Title:
  [MIR] rust-sequoia-sqv

Status in gnupg2 package in Ubuntu:
  Incomplete
Status in rust-sequoia-sqv package in Ubuntu:
  New

Bug description:
  [Availability]
  The package rust-sequoia-sqv is already in universe; it builds for all architectures.

  Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sqv

  [Rationale]
  Sequoia is becoming the standard OpenPGP implementation in competing Linux
  distributions such as RHEL.

  For 26.04 and particularly 26.10 we want to use sqv in APT using APT's sqv
  backend which landed in Debian earlier this year, and will be part of the
  upcoming Debian stable release.

  [Security]
  - No CVEs/security issues in this software in the past

  (to my awareness)

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Security has been kept in mind and common isolation/risk-mitigation
    patterns are in place utilizing the following features:
    - The program is written in a memory safe language
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints

  [Quality assurance - function/usage]
  The package works well right after install

  [Quality assurance - maintenance]
  - The package rust-sequoia-sqv is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sequoia-sqv/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sequoia-sqv
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]

  - The package runs a test suite on build time, if it fails
    it makes the build fail, link to build log TBD

  - The package does not run an autopkgtest because given the vendored
  dependencies it is not super useful. APT includes a full featured test
  suite testing the sqv code base across a whole bunch of corner cases,
  though.

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field

  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package:
    https://launchpadlibrarian.net/851854368/buildlog_ubuntu-resolute-amd64.rust-sequoia-sqv_1.3.0-3ubuntu2~resolute1_BUILDING.txt.gz
  - Lintian overrides are not present

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
    questions higher than medium

  - Packaging is complex, but that is ok because it is a rust package with vendored dependencies.
    The majority of the rules relate to the maintenance of the vendored dependencies,
    which is a common case for rust packages in main.

  [UI standards]
  - Application is not end-user facing (does not need translation). It is only
    intended as a CLI OpenPGP verification tool in scripts.

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main.

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy.

  [Maintenance/Owner]
  - The owning team will be Ubuntu Foundations and I have their acknowledgement for
    that commitment.
  - The future owning team is not yet subscribed, but will subscribe to
    the package before promotion.

  - The team Ubuntu Foundations is aware of the implications by a static build and
    commits to test no-change-rebuilds and to fix any issues found for the
    lifetime of the release (including ESM).

  - The team Ubuntu Foundations is aware of the implications of vendored code and (as
    alerted by the security team) commits to provide updates and backports
    to the security team for any affected vendored code for the lifetime
    of the release (including ESM).

  - This package uses vendored code, refreshing that code is outlined
    in debian/README.source (in proposed merge).

  - This package is rust based and vendors all non language-runtime
    dependencies

  - The package has been built within the last 3 months in PPA
  - Build link on launchpad: https://launchpad.net/~bamf0/+archive/ubuntu/rust-sequoia-sq-sqv-mir-lp2089690/+packages

  [Background information]
  - The Package description explains the package well
  - Upstream Name is rust-sequoia-sqv
  - Link to upstream project: https://gitlab.com/sequoia-pgp/sequoia-sqv

  Foundations should probably make a case for replacing GnuPG with Sequoia in
  "main", filing corresponding MIRs for the needed sequoia components.

  MIR team usually likes to see some kind of transition plan, how to get rid of
  the older alternative (GPG) when a new one is introduced. Or technical
  solutions, such as a package split to ship only binary packages in main that
  are non-duplicates, even though the source package of two components might have
  some overlap.

  See https://github.com/canonical/ubuntu-mir/blob/main/vendoring/Rust.md for
  vendoring Rust dependencies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions

More information about the foundations-bugs mailing list