[MIR] woff2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
webkit2gtk (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
woff2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Availability
============
Built for all supported architectures. In sync with Debian.
Rationale
=========
woff2 is a library maintained by Google to convert fonts from TTF to the woff2 format and decompress from woff2 to TTF. The WOFF 2.0 format uses the Brotli compression algorithm to compress fonts suitable for use in CSS @font-face rules. WOFF 2.0 is a W3C Candidate Recommendation. See the brotli MIR at LP: #1737053.
brotli and woff2 are libraries that are technically already in main because they are bundled in Firefox and webkit2gtk.
The next major stable release of webkit2gtk, 2.20, will be released in March. It drops those 2 bundled libraries. I think our options are basically
1) Bundle those libraries anyway, or
2) Approve this MIR, or
3) Drop support for the WOFF2 format in webkit2gtk
Security
========
I assume we want a security review here.
https:/
https:/
Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed.
- No test suite
- No autopkgtests
https:/
https:/
https:/
Dependencies
============
Only universe binary dependency is brotli (LP: #1737053)
Standards compliance
=======
4.1.2, debhelper compat 10, dh7 simple rules
Maintenance
===========
Actively maintained:
https:/
Maintained by the Debian Fonts Team in Debian. It's a small team so it may need co-maintenance help from the Ubuntu Desktop team.
Other Info
==========
woff2 was only packaged in Debian and Ubuntu very recently.
webkit2gtk is managed similar to Firefox and Chromium. So far, new releases are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu Security Team does not guarantee security support for webkit2gtk.
We are going to need to backport brotli and woff2 into main as security updates for 16.04 LTS and 17.10.
Packaging is at
https:/
tags: | added: bionic |
description: | updated |
description: | updated |
Changed in woff2 (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in woff2 (Ubuntu): | |
status: | New → Fix Committed |
Changed in woff2 (Ubuntu): | |
status: | Fix Committed → New |
Changed in webkit2gtk (Ubuntu): | |
status: | New → Fix Committed |
* you need to subscribe desktop-packages
* debian/copyright mentions the licence is Expact where it's distributed under the MIT license in the header (even if the LICENSE file is expact). Probably something you should get clarified…
* I think dh_install --fail-missing is deprecated and you should use dh_missing instead.
Otherwise, the rest looks good to me, once we get those license clarifications.
I'm deferring for a security review to the security team