[Bug 2095582] Re: [MIR] libsass

Fri Feb 21 12:27:03 UTC 2025

MIR updates - Required TODOs:

1. Clarify what happens with lto and fix appropriately - DONE
2. Add build time tests.

Dug into this a bit:

---

Testing
-------

Since LibSass is a pure library, tests are run through the [Sass-Spec](https://github.com/sass/sass-spec)
project using the [SassC](http://github.com/sass/sassc) CLI wrapper. To run the tests against LibSass while
developing, you can run `./script/spec`. This will clone SassC and Sass-Spec under the project folder and
then run the Sass-Spec test suite. You may want to update the clones to ensure you have the latest version.
Note that the scripts in the `./script` folder are mainly intended for our CI needs.

---

This requires some additional components (some of which but not all are
packaged) however it looks like they have moved forward and the use of
them for testing in libsass has not (I checked with tip of master
branch).

As such we don't really have a feasible built time test - however... we
have added autopkgtests to libsass-python which is the primary use case
for libsass1 in Ubuntu and that does have a test suite albeit a small
one which provides some useful quality signal.

** Changed in: libsass (Ubuntu)
       Status: Incomplete => New

** Changed in: libsass (Ubuntu)
     Assignee: James Page (james-page) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2095582

Title:
  [MIR] libsass

Status in libsass package in Ubuntu:
  New

Bug description:
  [Availability]
  The package libsass is already in Ubuntu universe.
  The package libsass builds for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/libsass

  [Rationale]
  The package libsass is required in Ubuntu main because Horizon has switched from Django-pyscss to libsass and its Python wrapper.
  The package libsass will generally be useful for a large part of our user base.
  The package libsass is a new runtime dependency of package OpenStack Horizon that we already support.
  There is no other/better way to solve this that is already in main or should go universe->main instead of this.
  The binary package libsass needs to be in main as it is a new dependency for OpenStack Horizon which is switching away from the previously used django_pyscss.

  The package libsass-python is required in Ubuntu main no later than
  February 20, 2025 due to feature freeze.

  [Security]
  Had 39 security issues in the past
  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libsass
  https://ubuntu.com/security/cves?q=libsass
  https://security-tracker.debian.org/tracker/source-package/libsass

  Based on the Debian bug tracker, it appears most CVEs have been
  resolved aside from 1 categorized under “Open unimportant issues” and
  3 under “Open issues” but fixed for Debian versions Trixie and Sid.

  no `suid` or `sgid` binaries
  no executables in `/sbin` and `/usr/sbin`
  Package does not install services, timers or recurring jobs
  Packages does not open privileged ports (ports < 1024).
  Package does not expose any external endpoints
  Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  The package works well right after install

  [Quality assurance - maintenance]
  The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs (2 open as of Feb 3)
  Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libsass/+bug
  Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsass
  GitHub Issues: https://github.com/sass/libsass/issues
  The package has important open bugs, listing them: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsass
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953415
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988884

  The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  The package does not run a test at build time. It is currently an ubuntu-openstack TODO to add. The upstream does contain a Makefile in the ‘test’ directory that can be invoked at build time. 

  The package runs an autopkgtest, and is currently passing on amd64,
  arm64, armhf, i386, ppc64el, riscv64, and s390x architectures, link to
  test logs:
  https://launchpad.net/ubuntu/+source/libsass/3.6.5+20231221-3

  The package does have not failing autopkgtests right now.

  [Quality assurance - packaging]
  debian/watch is present and works
  debian/control defines a correct Maintainer field (Debian Sass team <pkg-sass-devel at lists.alioth.debian.org>)

  This package does not yield massive lintian Warnings, Errors
  Please link to a recent build log of the package: https://launchpadlibrarian.net/706597691/buildlog_ubuntu-noble-amd64.libsass_3.6.5+20231221-3_BUILDING.txt.gz
  Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug - no output generated on either binary package
  Lintian overrides are present, but ok because they related to copyright/license files:
  ```
  # License is in Reference field (see bug#786450)
  missing-license-paragraph-in-dep5-copyright gpl-3\+ *
  missing-license-text-in-dep5-copyright GPL-3\+ *
  ```
  This package does not rely on obsolete or about to be demoted packages.
  This package has no python2 or GTK2 dependencies
  The package will not be installed by default

  Packaging and build is easy, link to debian/rules:
  https://git.launchpad.net/ubuntu/+source/libsass/tree/debian/rules

  [UI standards]
  Application is not end-user facing (does not need translation)

  [Dependencies]
  No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  The owning team will be ubuntu-openstack and I have their acknowledgement for that commitment.
  The future owning team is already subscribed to the package.

  This package generates a static file libsass.a. The team ubuntu-
  openstack is aware of the implications by a static build and commits
  to test no-change-rebuilds and to fix any issues found for the
  lifetime of the release (including ESM)

  This does not use vendored code
  This package is not rust based

  This package has not been built in the last 3 months. The last build was December 30, 2023.
  Build link on launchpad: https://launchpad.net/ubuntu/+source/libsass/3.6.5+20231221-3

  [Background information]
  The Package description explains the package well
  Upstream Name is libsass
  Link to upstream project: https://github.com/sass/libsass

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsass/+bug/2095582/+subscriptions