[Bug 2095582] Re: [MIR] libsass

James Page 2095582 at bugs.launchpad.net
Fri Feb 21 12:15:58 UTC 2025 

I dug into the LTO for this package - it was fixed in a later package
update after impish:

libsass (3.6.5+20231221-1) experimental; urgency=high

  [ upstream ]
  * new development snapshot
    + fix most urgent issues in 2023;
      closes: bug#1051893, #1051894, #1051895;
      CVE-2022-26592 CVE-2022-43357 CVE-2022-43358

  [ Jonas Smedegaard ]
  * update copyright info: update coverage
  * set urgency=high due to security bugfixes
  * enable link-time optimization;
    closes: bug#1015519, thanks to Matthias Klose

 -- Jonas Smedegaard <dr at jones.dk>  Thu, 21 Dec 2023 19:57:09 +0100

so the package is infact LTO enabled, despite being present in the
global lto-disabled-list package.


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26592

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-43357

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-43358

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2095582

Title:
  [MIR] libsass

Status in libsass package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  The package libsass is already in Ubuntu universe.
  The package libsass builds for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/libsass

  [Rationale]
  The package libsass is required in Ubuntu main because Horizon has switched from Django-pyscss to libsass and its Python wrapper.
  The package libsass will generally be useful for a large part of our user base.
  The package libsass is a new runtime dependency of package OpenStack Horizon that we already support.
  There is no other/better way to solve this that is already in main or should go universe->main instead of this.
  The binary package libsass needs to be in main as it is a new dependency for OpenStack Horizon which is switching away from the previously used django_pyscss.

  The package libsass-python is required in Ubuntu main no later than
  February 20, 2025 due to feature freeze.

  [Security]
  Had 39 security issues in the past
  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libsass
  https://ubuntu.com/security/cves?q=libsass
  https://security-tracker.debian.org/tracker/source-package/libsass

  Based on the Debian bug tracker, it appears most CVEs have been
  resolved aside from 1 categorized under “Open unimportant issues” and
  3 under “Open issues” but fixed for Debian versions Trixie and Sid.

  no `suid` or `sgid` binaries
  no executables in `/sbin` and `/usr/sbin`
  Package does not install services, timers or recurring jobs
  Packages does not open privileged ports (ports < 1024).
  Package does not expose any external endpoints
  Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  The package works well right after install

  [Quality assurance - maintenance]
  The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs (2 open as of Feb 3)
  Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libsass/+bug
  Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsass
  GitHub Issues: https://github.com/sass/libsass/issues
  The package has important open bugs, listing them: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsass
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953415
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988884

  The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  The package does not run a test at build time. It is currently an ubuntu-openstack TODO to add. The upstream does contain a Makefile in the ‘test’ directory that can be invoked at build time. 

  The package runs an autopkgtest, and is currently passing on amd64,
  arm64, armhf, i386, ppc64el, riscv64, and s390x architectures, link to
  test logs:
  https://launchpad.net/ubuntu/+source/libsass/3.6.5+20231221-3

  The package does have not failing autopkgtests right now.

  [Quality assurance - packaging]
  debian/watch is present and works
  debian/control defines a correct Maintainer field (Debian Sass team <pkg-sass-devel at lists.alioth.debian.org>)

  This package does not yield massive lintian Warnings, Errors
  Please link to a recent build log of the package: https://launchpadlibrarian.net/706597691/buildlog_ubuntu-noble-amd64.libsass_3.6.5+20231221-3_BUILDING.txt.gz
  Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug - no output generated on either binary package
  Lintian overrides are present, but ok because they related to copyright/license files:
  ```
  # License is in Reference field (see bug#786450)
  missing-license-paragraph-in-dep5-copyright gpl-3\+ *
  missing-license-text-in-dep5-copyright GPL-3\+ *
  ```
  This package does not rely on obsolete or about to be demoted packages.
  This package has no python2 or GTK2 dependencies
  The package will not be installed by default

  Packaging and build is easy, link to debian/rules:
  https://git.launchpad.net/ubuntu/+source/libsass/tree/debian/rules

  [UI standards]
  Application is not end-user facing (does not need translation)

  [Dependencies]
  No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  The owning team will be ubuntu-openstack and I have their acknowledgement for that commitment.
  The future owning team is already subscribed to the package.

  This package generates a static file libsass.a. The team ubuntu-
  openstack is aware of the implications by a static build and commits
  to test no-change-rebuilds and to fix any issues found for the
  lifetime of the release (including ESM)

  This does not use vendored code
  This package is not rust based

  This package has not been built in the last 3 months. The last build was December 30, 2023.
  Build link on launchpad: https://launchpad.net/ubuntu/+source/libsass/3.6.5+20231221-3

  [Background information]
  The Package description explains the package well
  Upstream Name is libsass
  Link to upstream project: https://github.com/sass/libsass

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/2095582/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list