[Bug 2089690] Re: [MIR] rust-sequoia-sqv
Myles Penner
2089690 at bugs.launchpad.net
Tue Mar 24 15:10:32 UTC 2026
Review for Source Package: rust-sequoia-sqv
[Summary]
This is a well-packaged Rust binary (sqv) that serves as a single-purpose OpenPGP signature verification tool, intended to replace gpgv as APT's signature verification backend. The package follows standard Rust vendoring practices, has a reasonable Ubuntu delta, and has no significant packaging or upstream concerns, but does require a security review given its cryptographic nature.
This does need a security review due to the cryptography and signature verification functionality - I’ll assign Ubuntu Security
List of specific binary packages to be promoted to main: sqv
Specific binary packages built, but NOT to be promoted to main: sqv-dbgsym
(auto-generated, goes to ddebs.ubuntu.com)
Notes:
Recommended TODOs:
- The package should get a team bug subscriber before being promoted - Please subscribe Ubuntu Foundations before promotion
[Rationale, Duplication and Ownership]
- There is an existing package in main providing similar functionality: gpgv (GnuPG). However, sqv is intended as a replacement for gpgv as APT's signature verification backend, aligning with the broader ecosystem direction (Sequoia is becoming the standard OpenPGP implementation in RHEL and Debian). This is not unintentional duplication but a planned transition.
- A team is committed to own long term maintenance of this package - Ubuntu Foundations, not yet subscribed
The rationale given in the report seems valid and useful for Ubuntu
[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
- no other build-time Dependencies with active code in the final binaries
to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
- vendoring is used, but the reasoning is sufficiently explained
- Rust package that has all dependencies vendored. It does neither
have *Built-Using (after build). Nor does the build log indicate
built-in sources that are missed to be reported as Built-Using.
- rust package using dh_cargo (dh ... --buildsystem cargo)
- Includes vendored code, the package has documented how to refresh this
code at d/README.source (in proposed merge)
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does parse data formats (OpenPGP signatures, certificates, keyrings)
from potentially untrusted sources, but is written in a memory-safe
language (Rust) and uses the well-maintained sequoia-openpgp library
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does deal with security attestation (signature verification)
- does deal with cryptography (OpenPGP signature verification,
certificate validation, cryptographic policy enforcement)
- written in a memory-safe language (Rust), runs unprivileged as a
stateless single-invocation CLI tool.
Problems: None, but this does need a security review given it deals with
cryptography and signature verification. Assigning ubuntu-security.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- This does not need special HW for build or test
- does not have a non-trivial test suite that runs as autopkgtest.
The MIR requester notes that with vendored dependencies autopkgtests
are of limited value, and that APT's own test suite extensively
exercises the sqv code path. This is a reasonable justification
given sqv is only used as a backend for APT signature verification.
- This does not need special HW for build or test
- no new python2 dependency
Problems: None
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean for a rust package
- It is not on the lto-disabled list
Problems: None
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user 'nobody' outside of tests
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case
Problems: None
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/2089690
Title:
[MIR] rust-sequoia-sqv
Status in gnupg2 package in Ubuntu:
Incomplete
Status in rust-sequoia-sqv package in Ubuntu:
New
Bug description:
[Availability]
The package rust-sequoia-sqv is already in universe; it builds for all architectures.
Link to package https://launchpad.net/ubuntu/+source/rust-sequoia-sqv
[Rationale]
Sequoia is becoming the standard OpenPGP implementation in competing Linux
distributions such as RHEL.
For 26.04 and particularly 26.10 we want to use sqv in APT using APT's sqv
backend which landed in Debian earlier this year, and will be part of the
upcoming Debian stable release.
[Security]
- No CVEs/security issues in this software in the past
(to my awareness)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
- The program is written in a memory safe language
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
[Quality assurance - function/usage]
The package works well right after install
[Quality assurance - maintenance]
- The package rust-sequoia-sqv is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sequoia-sqv/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sequoia-sqv
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
- The package does not run an autopkgtest because given the vendored
dependencies it is not super useful. APT includes a full featured test
suite testing the sqv code base across a whole bunch of corner cases,
though.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package:
https://launchpadlibrarian.net/851854368/buildlog_ubuntu-resolute-amd64.rust-sequoia-sqv_1.3.0-3ubuntu2~resolute1_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging is complex, but that is ok because it is a rust package with vendored dependencies.
The majority of the rules relate to the maintenance of the vendored dependencies,
which is a common case for rust packages in main.
[UI standards]
- Application is not end-user facing (does not need translation). It is only
intended as a CLI OpenPGP verification tool in scripts.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy.
[Maintenance/Owner]
- The owning team will be Ubuntu Foundations and I have their acknowledgement for
that commitment.
- The future owning team is not yet subscribed, but will subscribe to
the package before promotion.
- The team Ubuntu Foundations is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM).
- The team Ubuntu Foundations is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored code, refreshing that code is outlined
in debian/README.source (in proposed merge).
- This package is rust based and vendors all non language-runtime
dependencies
- The package has been built within the last 3 months in PPA
- Build link on launchpad: https://launchpad.net/~bamf0/+archive/ubuntu/rust-sequoia-sq-sqv-mir-lp2089690/+packages
[Background information]
- The Package description explains the package well
- Upstream Name is rust-sequoia-sqv
- Link to upstream project: https://gitlab.com/sequoia-pgp/sequoia-sqv
Foundations should probably make a case for replacing GnuPG with Sequoia in
"main", filing corresponding MIRs for the needed sequoia components.
MIR team usually likes to see some kind of transition plan, how to get rid of
the older alternative (GPG) when a new one is introduced. Or technical
solutions, such as a package split to ship only binary packages in main that
are non-duplicates, even though the source package of two components might have
some overlap.
See https://github.com/canonical/ubuntu-mir/blob/main/vendoring/Rust.md for
vendoring Rust dependencies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2089690/+subscriptions
More information about the foundations-bugs
mailing list