[Bug 2131216] Re: [MIR] libfyaml
Alessandro Astone
2131216 at bugs.launchpad.net
Tue Dec 2 09:03:59 UTC 2025
** Description changed:
[Availability]
The package libfyaml is already in Ubuntu universe.
The package libfyaml build for the architectures it is designed to work on.
It currently builds and works for architectures:
amd64 amd64v3 arm64 armhf ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/libfyaml
[Rationale]
- The package libfyaml is required in Ubuntu main as a new library for
parsing YAML
- The package libfyaml will not generally be useful for a large part of
our user base, but is important/helpful still because it is a library linked
by other projects
- Package libfyaml covers the same use case as libyaml, but is better because:
- It provides a better C API
- It is better maintained
- It has faster parsing speed than libyaml
- It is YAML 1.2 compmliant while libyaml is not
- This helps a lot with making the code more secure and deterministic
- This means that libfyaml is also a powerful JSON parser, which is now
a subset of YAML 1.2
- It provides a zero-copy API which significantly reduces the memory used
while parsing and generating YAML.
- This helps when libfyaml is used by appstream to parse very large YAML
files like the AppStream data used to populate deb software stores like
GNOME Software, Plasma Discover (and possibly the Ubuntu App Center in
the future)
- - The package libfyaml is a new runtime dependency of package
- libappstream-compose0 that we already support
+ - The package libfyaml is a new runtime dependency of packages libappstream5
+ and libappstream-compose0 that we already support
- Some other projects are already considering to port over to libfyaml:
- https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2078759/comments/36
- We cannot fully replace libyaml because it still too many users that would
need to be ported, so both libraries would need to exist in main for a while
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- Porting all users of libyaml to libfyaml is a massive undertaking and
risks introducing issues if not done by the respective upstreams.
- Porting appstream back from libfyaml to libyaml is an equally large
undertaking, as the changes are large and the project has already started
using the new features of the libfyaml API.
- Freezing appstream to an older version that still uses libyaml is not
ideal. That would mean potentially freezing it forever.
- This is the first time package will be in main
- The binary packages libfyaml0 needs to be in main to satisfy a dependency
- from libappstream-compose0
+ from libappstream5 and libappstream-compose0
- All other binary packages built by libfyaml should remain in universe
- The package libfyaml is required in Ubuntu main no later than Feb 19
- due to Resolut Raccoon feature freeze.
+ due to Resolute Raccoon feature freeze.
[Security]
- No CVEs in this software in the past
- Some reported and addressed memory corruption issues:
- https://github.com/pantoniou/libfyaml/issues/122
- https://github.com/pantoniou/libfyaml/issues/123
- https://github.com/pantoniou/libfyaml/issues/118
- https://github.com/pantoniou/libfyaml/issues/120
- https://github.com/pantoniou/libfyaml/issues/121
- https://github.com/pantoniou/libfyaml/issues/119
- https://github.com/pantoniou/libfyaml/issues/101
- https://github.com/pantoniou/libfyaml/issues/57
- https://github.com/pantoniou/libfyaml/issues/56
- Some reported and to-date unaddressed memory corruption issues:
- https://github.com/pantoniou/libfyaml/issues/134
- https://github.com/pantoniou/libfyaml/issues/135
- https://github.com/pantoniou/libfyaml/issues/132
- https://github.com/pantoniou/libfyaml/issues/138
- https://github.com/pantoniou/libfyaml/issues/133
- https://github.com/pantoniou/libfyaml/issues/128
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libfyaml/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libfyaml
- Upstream's bug tracker: https://github.com/pantoniou/libfyaml/issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, https://launchpadlibrarian.net/827289425/buildlog_ubuntu-resolute-amd64.libfyaml_0.9-2_BUILDING.txt.gz
- The package does not run an autopkgtest because upstream does not provide
an installed-tests testsuite; but one could be implemented downstream.
- The libyaml0 package is also tested by the appstream package at build-time:
see "as-test_yaml" at https://launchpadlibrarian.net/827477512/buildlog_ubuntu-resolute-amd64.appstream_1.1.1-1_BUILDING.txt.gz
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- https://launchpadlibrarian.net/827289425/buildlog_ubuntu-resolute-amd64.libfyaml_0.9-2_BUILDING.txt.gz
- lintian --pedantic: https://bugs.launchpad.net/ubuntu/+source/libfyaml/+bug/2131216/comments/2
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy,
https://salsa.debian.org/jlblancoc/libfyaml-
gbp/-/blob/master/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate
all dependencies or recommends are in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
- libfyaml0/libfyaml-dev contain some GPL-2 symbols, despite the library
being MIT-licensed.
That implies that users of the library may be inadvertently violating the
GPL license.
All GPL-2 symbols were stripped in git master already, and I have asked the
maintainer to provide a new tagged release in reasonable time for 26.04
- The maintainer tells me a new release is planned by the end of year
+ The maintainer tells me a new release is planned by the end of year
[Maintenance/Owner]
- I Suggest the owning team to be debcrafters
- The future owning team is not yet subscribed, but will subscribe to
the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/libfyaml/0.9-2
- This change will not impact other teams
[Background information]
-The Package description explains the package well
- Upstream Name is libfyaml
- Link to upstream project https://github.com/pantoniou/libfyaml
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2131216
Title:
[MIR] libfyaml
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfyaml/+bug/2131216/+subscriptions
More information about the kubuntu-bugs
mailing list