[MIR] brotli
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
brotli (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Availability
============
Built for all supported architectures. In sync with Debian.
Rationale
=========
brotli is a file compression format and library developed and maintained by Google. brotli is required by the WOFF 2.0 format for compressed web fonts. brotli and woff2 are libraries that are technically already in main because they are bundled in Firefox and webkit2gtk.
The next major stable release of webkit2gtk, 2.20, will be released in March. It drops those 2 bundled libraries. I think our options are basically
1) Bundle those libraries anyway, or
2) Approve this MIR, or
3) Drop support for the WOFF2 format in webkit2gtk
Security
========
brotli is a security-sensitive library.
There was one security bug fixed recently for xenial (LP: #1737364)
https:/
https:/
Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed.
- dh_auto_test runs upstream build tests. Test failure would fail the build.
- New autopkgtests pass on all arches:
http://
https:/
https:/
https:/
https:/
Dependencies
============
No universe binary dependencies
Standards compliance
=======
4.1.1, debhelper compat 10, dh7 simple rules
Maintenance
===========
Actively maintained:
https:/
Not team maintained in Debian.
https:/
Other Info
==========
webkit2gtk is managed similar to Firefox and Chromium. So far, new releases are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu Security Team does not guarantee security support for webkit2gtk.
The woff2 MIR is LP: #1742743
We are going to need to backport brotli and woff2 into main as security updates for 16.04 LTS and 17.10. The new version of brotli adds new binary packages (in particular, the C library needed by woff2 and webkit2gtk).
brotli has no reverse dependencies in 16.04 and 17.10. (fonttools is a reverse-dependency in 18.04.)
brotli has a bizarre build system.
description: | updated |
tags: | added: bionic |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in brotli (Ubuntu): | |
assignee: | Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security) |
Changed in brotli (Ubuntu): | |
status: | Incomplete → Fix Committed |
* you need to subscribe desktop-packages
* debian/copyright references a directory that doesn't exist:
Files: appveyor/*
* not a big fan of debian/rules either with the 2 build pass, but it seems there isn't any alternative
Otherwise, the rest looks good to me.
I'm deferring for a security review to the security team.