[Bug 2089690] Re: [MIR] rust-sequoia-sqv
Myles Penner
2089690 at bugs.launchpad.net
Tue Mar 24 14:52:15 UTC 2026
** Changed in: rust-sequoia-sqv (Ubuntu)
Assignee: Myles Penner (mylesjp) => (unassigned)
** Changed in: rust-sequoia-sqv (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
** Changed in: rust-sequoia-sqv (Ubuntu)
Status: In Progress => New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/2089690
Title:
[MIR] rust-sequoia-sqv
Status in gnupg2 package in Ubuntu:
Incomplete
Status in rust-sequoia-sqv package in Ubuntu:
New
Bug description:
[Availability]
The package rust-sequoia-sqv is already in universe; it builds for all architectures.
Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sqv
[Rationale]
Sequoia is becoming the standard OpenPGP implementation in competing Linux
distributions such as RHEL.
For 26.04 and particularly 26.10 we want to use sqv in APT using APT's sqv
backend which landed in Debian earlier this year, and will be part of the
upcoming Debian stable release.
[Security]
- No CVEs/security issues in this software in the past
(to my awareness)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
- The program is written in a memory safe language
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
[Quality assurance - function/usage]
The package works well right after install
[Quality assurance - maintenance]
- The package rust-sequoia-sqv is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sequoia-sqv/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sequoia-sqv
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
- The package does not run an autopkgtest because given the vendored
dependencies it is not super useful. APT includes a full featured test
suite testing the sqv code base across a whole bunch of corner cases,
though.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package:
https://launchpadlibrarian.net/851854368/buildlog_ubuntu-resolute-amd64.rust-sequoia-sqv_1.3.0-3ubuntu2~resolute1_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging is complex, but that is ok because it is a rust package with vendored dependencies.
The majority of the rules relate to the maintenance of the vendored dependencies,
which is a common case for rust packages in main.
[UI standards]
- Application is not end-user facing (does not need translation). It is only
intended as a CLI OpenPGP verification tool in scripts.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy.
[Maintenance/Owner]
- The owning team will be Ubuntu Foundations and I have their acknowledgement for
that commitment.
- The future owning team is not yet subscribed, but will subscribe to
the package before promotion.
- The team Ubuntu Foundations is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM).
- The team Ubuntu Foundations is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored code, refreshing that code is outlined
in debian/README.source (in proposed merge).
- This package is rust based and vendors all non language-runtime
dependencies
- The package has been built within the last 3 months in PPA
- Build link on launchpad: https://launchpad.net/~bamf0/+archive/ubuntu/rust-sequoia-sq-sqv-mir-lp2089690/+packages
[Background information]
- The Package description explains the package well
- Upstream Name is rust-sequoia-sqv
- Link to upstream project: https://gitlab.com/sequoia-pgp/sequoia-sqv
Foundations should probably make a case for replacing GnuPG with Sequoia in
"main", filing corresponding MIRs for the needed sequoia components.
MIR team usually likes to see some kind of transition plan, how to get rid of
the older alternative (GPG) when a new one is introduced. Or technical
solutions, such as a package split to ship only binary packages in main that
are non-duplicates, even though the source package of two components might have
some overlap.
See https://github.com/canonical/ubuntu-mir/blob/main/vendoring/Rust.md for
vendoring Rust dependencies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions
More information about the foundations-bugs
mailing list