[MIR] xdelta3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xdelta3 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
MIR for xdelta3
This is a request to include the xdelta3 package in Ubuntu main.
See below for point-for-point discussion of the items listed at:
https:/
[Availability]
Ubuntu Zesty contains xdelta 3.0.11-dfsg-1 in universe.
[Rationale]
xdelta3 is required for the 'download delta' feature in snapd. This allows
users to save a considerable amount of bandwidth when downloading updates for
installed snap packages. The code has all landed in snapd behind a feature flag,
but cannot be turned on by default until xdelta3 is in main, so snapd can depend
on xdelta3.
[Security]
There was one CVE files against xdelta3 that I could find:
http://
The xdelta3 package installs a single binary (/usr/bin/xdelta3) which is not
suid or sgid.
[Quality assurance]
- The xdelta3 package requires no configuration after installation.
- As far as I can tell, the package asks no debconf questions of any priority.
- There are 90 open issues in the upstream bugtracker:
https:/
- I've scanned the issue list, and while a few issues may impact Ubuntu users
using xdelta3, none of them seem serious enough to warrant exclusion from main
in my opinion (but what do I know - that's for someone else to determine).
- The debian bug tracker contains security bug:
https:/
However this is fixed in the upstream release that's in zesty, and I can see a
distropatch in the version that's in Xenial (I'm assuming it's been fixed in
yakkety as well).
- The debian package is maintained by 'A Mennucc1', see:
https:/
- The xdelta3 packages does not require any exotic hardware.
- I'm honestly not sure if the upstream test suite is run during the package
build. I see no explicit test runs in debian/rules, but there is a 'check'
make target, so perhaps that's invoked by default?
- The package contains a debain/watch file.
[UI Standards]
The xdelta3 package ships command line utilities, so I think it's except from
the requirements of this section.
[Dependencies]
The two dependencies of xdelta3 (libc6 and liblzma5) are both already in main.
[Standards Compliance]
Since xdelta3 is already in debian, I can only assume that it conforms to the
related standards.
[Maintenance]
I think xdelta3 is relatively stable software, and the debian maintenance seems
adequate to me to minimise the amount of work we need to do to keep this package
in main.
[Background Information]
The xdelta3 package description contains a basic useful description of the
purpose of the package. The motivation behind this MIR is described in the
'rationale' section of this bug report.
CVE References
Changed in xdelta3 (Ubuntu): | |
assignee: | nobody → Matthias Klose (doko) |
Status changed to 'Confirmed' because the bug affects multiple users.