Bug #1918446 “[MIR] libmanette” : Bugs : libmanette package : Ubuntu

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-03-17:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libmanette (Ubuntu):
status:	New → Confirmed

Christian Ehrhardt  (paelzer) on 2021-05-04

Changed in libmanette (Ubuntu):
status:	Confirmed → New

Christian Ehrhardt  (paelzer) on 2021-05-04

Changed in libmanette (Ubuntu):
assignee:	nobody → Christian Ehrhardt  (paelzer)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-05:

#2

Download full text (3.6 KiB)

[Summary]
MIR Team Ack to this small, useful and well maintained library.
This does not need a security review, so I'll mark it "In Progress".
Once the changes pulling this in are made please set it to "Fix Committed"
and get an Archive Admin involved to resolve the promotion.

List of specific binary packages to be promoted to main:
- bin:libmanette-0.2-0
- src:libmanette
Will also auto-promote (unless we opt-out):
- bin:gir1.2-manette-0.2
- bin:libmanette-0.2-dev

Required TODOs:
- decide and let us know if -dev pulling in gir1.2-manette-0.2 is ok
for you.
- please fix d/watch

Recommended TODOs:
- make dh_missing failing as it enforces attention if anything gets missing
by accident

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this

Problems:
The -dev package will be auto-promoted as well which isn't a big issue as
all external dependencies are in main already. But it would also pull in
   gir1.2-manette-0.2
You mentioned you didn't intend to promote that, please decide if
a) you explicitly do not want to promote gir1.2-manette-0.2, then create
   a rule in the seeds to prevent the auto-inclusion of the -dev package
b) you are ok with gir1.2-manette-0.2 to be promoted as well, then no
   further action is needed

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats - one could argue that it parses data sent from
  the game controllers. But TBH that alone isn't enough to make this require
  a security review (and I don't see anything else). The raw low level parsing
  is done by lower libs mostly anyway and one needs local access to make use
  of it. Also general quality seems good and no known (past) related CVEs
  exist. IMHO this can be completed without an additional security review.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest (slightly superficial but ok)
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider in that regard

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- is not on the lto-disabled list

Problems:
- d/watch is present but currently dysfunctional - since you might miss updates
fixing tha...

[Summary]
MIR Team Ack to this small, useful and well maintained library.
This does not need a security review, so I'll mark it "In Progress".
Once the changes pulling this in are made please set it to "Fix Committed"
and get an Archive Admin involved to resolve the promotion.

List of specific binary packages to be promoted to main:
 - bin:libmanette-0.2-0
 - src:libmanette
Will also auto-promote (unless we opt-out):
 - bin:gir1.2-manette-0.2
 - bin:libmanette-0.2-dev

Required TODOs:
- decide and let us know if -dev pulling in gir1.2-manette-0.2 is ok
  for you.
- please fix d/watch

Recommended TODOs:
- make dh_missing failing as it enforces attention if anything gets missing
  by accident

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this

Problems:
The -dev package will be auto-promoted as well which isn't a big issue as
all external dependencies are in main already. But it would also pull in
   gir1.2-manette-0.2
You mentioned you didn't intend to promote that, please decide if
a) you explicitly do not want to promote gir1.2-manette-0.2, then create
   a rule in the seeds to prevent the auto-inclusion of the -dev package
b) you are ok with gir1.2-manette-0.2 to be promoted as well, then no
   further action is needed

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats - one could argue that it parses data sent from
  the game controllers. But TBH that alone isn't enough to make this require
  a security review (and I don't see anything else). The raw low level parsing
  is done by lower libs mostly anyway and one needs local access to make use
  of it. Also general quality seems good and no known (past) related CVEs
  exist. IMHO this can be completed without an additional security review.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest (slightly superficial but ok)
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider in that regard

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- is not on the lto-disabled list

Problems:
- d/watch is present but currently dysfunctional - since you might miss updates
  fixing that should be done before promotion.
- dh_missing is non-fatal, that could be helpful to be switched

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in libmanette (Ubuntu):
assignee:	Christian Ehrhardt  (paelzer) → nobody
status:	New → In Progress

Revision history for this message

Sebastien Bacher (seb128) wrote on 2021-05-07:

#3

@Christian thanks for the review! one question though

> Problems:
> - d/watch is present but currently dysfunctional - since you might miss updates
> fixing that should be done before promotion.

how is the watch dysfunctional? it's pointed to https://download.gnome.org/sources/libmanette which has the current 0.2.6 tarball which matches the current git tag, https://gitlab.gnome.org/GNOME/libmanette/-/tags.

the utility output seems correct

Newest version of libmanette on remote site is 0.2.6, local version is 0.2.6
=> Package is up to date from:
=> https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz

Revision history for this message

Sebastien Bacher (seb128) wrote on 2021-05-07:

#4

The dh_missing change is commit to the packaging vcs now

https://salsa.debian.org/gnome-team/libmanette/-/commits/debian/master/

Revision history for this message

Sebastien Bacher (seb128) wrote on 2021-05-07:

#5

Having the gir1.2-manette-0.2 bindings promoted is fine, it's standard practice for the dev to depends on those and wanted there

description:

updated

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-10: Re: [Bug 1918446] Re: [MIR] libmanette

#6

On Fri, May 7, 2021 at 8:55 PM Sebastien Bacher
<email address hidden> wrote:
>
> @Christian thanks for the review! one question though
>
> > Problems:
> > - d/watch is present but currently dysfunctional - since you might miss updates
> > fixing that should be done before promotion.
>
> how is the watch dysfunctional? it's pointed to
> https://download.gnome.org/sources/libmanette which has the current
> 0.2.6 tarball which matches the current git tag,
> https://gitlab.gnome.org/GNOME/libmanette/-/tags.

Hi,
well this is what I've got (and I didn't check further but thought to
bring it up)

$ pull-lp-source libmanette
Found libmanette 0.2.6-2 in impish
Good signature by Sebastien Bacher <email address hidden> (0x3EBD44903EDB0496)
Downloading libmanette_0.2.6.orig.tar.xz from archive.ubuntu.com (0.041 MiB)
Downloading libmanette_0.2.6-2.debian.tar.xz from archive.ubuntu.com (0.003 MiB)
dpkg-source: info: extracting libmanette in libmanette-0.2.6
dpkg-source: info: unpacking libmanette_0.2.6.orig.tar.xz
dpkg-source: info: unpacking libmanette_0.2.6-2.debian.tar.xz
[✓]─[paelzer@Keschdeichel /tmp]──[212527]──[07:17 Mo Mai 10]──
$ cd libmanette-0.2.6/
[✓]─[paelzer@Keschdeichel /tmp/libmanette-0.2.6]──[212528]──[07:17 Mo Mai 10]──
$ uscan --no-download
uscan warn: In debian/watch no matching files for watch line
https://download.gnome.org/sources/libmanette/([0-9.]+)/
libmanette(?:[-_]?(\d[\-+\.:\~\da-zA-Z]*))\.tar\.xz

Since it seems to work for you I wonder if there is any
encoding/version issue happening.

I'm on the focal version of devscripts 2.20.2ubuntu2
Trying 2.21.1ubuntu1 in Impish ...

> the utility output seems correct

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-10:

#7

Download full text (6.0 KiB)

> I'm on the focal version of devscripts 2.20.2ubuntu2
> Trying 2.21.1ubuntu1 in Impish ...

Ok, that is it ...
I guess for the MIR we can keep it as is, still slightly sad that it
fails with the uscan of the latest LTS.
I mean it isn't a new format version that would only be supported in
the new one, just behavior of the same rules is different.

FYI

New uscan in impish

root@i:~/libmanette-0.2.6# uscan --no-download --verbose
uscan info: uscan (version 2.21.1ubuntu1) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="libmanette" version="0.2.6-2" (as seen in debian/changelog)
uscan info: package="libmanette" version="0.2.6" (no epoch/revision)
uscan info: ./debian/changelog sets package="libmanette" version="0.2.6"
uscan info: Process watch file at: debian/watch
    package = libmanette
    version = 0.2.6
    pkg_dir = .
uscan info: Last orig.tar.* tarball version (from debian/changelog): 0.2.6
uscan info: Last orig.tar.* tarball version (dversionmangled): 0.2.6
uscan info: dir=>/sources/libmanette/ dirpattern=>([0-9.]+)
uscan info: Requesting URL:
   https://download.gnome.org/sources/libmanette/
uscan info: Matching pattern:

> I'm on the focal version of devscripts 2.20.2ubuntu2
> Trying 2.21.1ubuntu1 in Impish ...

Ok, that is it ...
I guess for the MIR we can keep it as is, still slightly sad that it
fails with the uscan of the latest LTS.
I mean it isn't a new format version that would only be supported in
the new one, just behavior of the same rules is different.

FYI

New uscan in impish

root@i:~/libmanette-0.2.6# uscan  --no-download --verbose
uscan info: uscan (version 2.21.1ubuntu1) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="libmanette" version="0.2.6-2" (as seen in debian/changelog)
uscan info: package="libmanette" version="0.2.6" (no epoch/revision)
uscan info: ./debian/changelog sets package="libmanette" version="0.2.6"
uscan info: Process watch file at: debian/watch
    package = libmanette
    version = 0.2.6
    pkg_dir = .
uscan info: Last orig.tar.* tarball version (from debian/changelog): 0.2.6
uscan info: Last orig.tar.* tarball version (dversionmangled): 0.2.6
uscan info: dir=>/sources/libmanette/  dirpattern=>([0-9.]+)
uscan info: Requesting URL:
   https://download.gnome.org/sources/libmanette/
uscan info: Matching pattern:

uscan info: Found the following matching directories (newest first):
   https://download.gnome.org/sources/libmanette/0.2/ (0.2)
   https://download.gnome.org/sources/libmanette/0.1/ (0.1)
uscan info: newest_dir => '0.2'
uscan info: Requesting URL:
   https://download.gnome.org/sources/libmanette/0.2/
uscan info: Matching pattern:
   (?:(?:https://download.gnome.org)?\/sources\/libmanette\/0\.2\/)?libmanette(?:[-_]?(\d[\-+\.:\~\da-zA-Z]*))\.tar\.xz
uscan info: Found the following matching hrefs on the web page (newest first):
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz
(0.2.6) index=0.2.6-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz
(0.2.6) index=0.2.6-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.5.tar.xz
(0.2.5) index=0.2.5-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.5.tar.xz
(0.2.5) index=0.2.5-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.4.tar.xz
(0.2.4) index=0.2.4-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.4.tar.xz
(0.2.4) index=0.2.4-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.3.tar.xz
(0.2.3) index=0.2.3-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.3.tar.xz
(0.2.3) index=0.2.3-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.2.tar.xz
(0.2.2) index=0.2.2-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.2.tar.xz
(0.2.2) index=0.2.2-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.1.tar.xz
(0.2.1) index=0.2.1-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.1.tar.xz
(0.2.1) index=0.2.1-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.0.tar.xz
(0.2.0) index=0.2.0-4
   https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.0.tar.xz
(0.2.0) index=0.2.0-4
uscan info: Looking at $base =
https://download.gnome.org/sources/libmanette/0.2/ with
    $filepattern = libmanette(?:[-_]?(\d[\-+\.:\~\da-zA-Z]*))\.tar\.xz found
    $newfile     =
https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz
    $newversion  = 0.2.6
    $lastversion = 0.2.6
uscan info: Matching target for downloadurlmangle:
https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz
uscan info: Upstream URL(+tag) to download is identified as
https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz
uscan info: Filename (filenamemangled) for downloaded file:
libmanette-0.2.6.tar.xz
uscan info: Newest version of libmanette on remote site is 0.2.6,
local version is 0.2.6
uscan info:  => Package is up to date from:
             =>
https://download.gnome.org/sources/libmanette/0.2/libmanette-0.2.6.tar.xz
uscan info: Scan finished

Focals uscan

$ uscan  --no-download --verbose
uscan info: uscan (version 2.20.2ubuntu2) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="libmanette" version="0.2.6-2" (as seen in debian/changelog)
uscan info: package="libmanette" version="0.2.6" (no epoch/revision)
uscan info: ./debian/changelog sets package="libmanette" version="0.2.6"
uscan info: Process watch file at: debian/watch
    package = libmanette
    version = 0.2.6
    pkg_dir = .
uscan info: Last orig.tar.* tarball version (from debian/changelog): 0.2.6
uscan info: Last orig.tar.* tarball version (dversionmangled): 0.2.6
uscan info: dir=>/sources/libmanette/  dirpattern=>([0-9.]+)
uscan info: Requesting URL:
   https://download.gnome.org/sources/libmanette/
uscan info: Matching pattern:
   (?:(?:https://download.gnome.org)?\/sources\/libmanette\/)?([0-9.]+)
uscan info: Matching target for dirversionmangle:   ?C=N&amp;O=A
uscan info: Matching target for dirversionmangle:   ?C=N&amp;O=D
uscan info: Matching target for dirversionmangle:   ?C=S&amp;O=A
uscan info: Matching target for dirversionmangle:   ?C=S&amp;O=D
uscan info: Matching target for dirversionmangle:   ?C=M&amp;O=A
uscan info: Matching target for dirversionmangle:   ?C=M&amp;O=D
uscan info: Matching target for dirversionmangle:   ../
uscan info: Matching target for dirversionmangle:   0.1/
uscan info: Matching target for dirversionmangle:   0.2/
uscan info: Matching target for dirversionmangle:   cache.json
uscan info: Found the following matching directories (newest first):
   ../ (..)
   0.2/ (0.2)
   0.1/ (0.1)
uscan info: newest_dir => '..'
uscan info: Requesting URL:
   https://download.gnome.org/sources/libmanette/../
uscan info: Matching pattern:
   (?:(?:https://download.gnome.org)?\/sources\/libmanette\/\.\.\/)?libmanette(?:[-_]?(\d[\-+\.:\~\da-zA-Z]*))\.tar\.xz
uscan warn: In debian/watch no matching files for watch line
  https://download.gnome.org/sources/libmanette/([0-9.]+)/libmanette(?:[-_]?(\d[\-+\.:\~\da-zA-Z]*))\.tar\.xz
uscan info: Scan finished

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-10:

#8

On Fri, May 7, 2021 at 9:55 PM Sebastien Bacher
<email address hidden> wrote:
>
> The dh_missing change is commit to the packaging vcs now
>
> https://salsa.debian.org/gnome-team/libmanette/-/commits/debian/master/

Thanks that should be enough for that aspect.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-10:

#9

On Fri, May 7, 2021 at 9:55 PM Sebastien Bacher
<email address hidden> wrote:
>
> Having the gir1.2-manette-0.2 bindings promoted is fine, it's standard
> practice for the dev to depends on those and wanted there

Ok, I know it is standard (hence the auto-include) but some teams and
some packages
are special cases and want to avoid encouraging the use of less
tested/popular other
libraries in the same package.

Thanks for the confirmation - no further work needed for libmanette in
that regard.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-10:

#10

Thanks Sebastien, all tasks I've brought up are handled (some of my mail replies might appear here delayed, but we are complete).

I guess we are ready and you can make the change that will pull this into main.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2021-05-10:

#11

Thanks Christian! I've subscribed desktop-packages, should the bug be fix commited now? I will merge or sync webkitgtk in the next days which should pull it to main and I will promote once uploaded

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-10:

#12

On Mon, May 10, 2021 at 11:11 AM Sebastien Bacher
<email address hidden> wrote:
>
> Thanks Christian! I've subscribed desktop-packages, should the bug be
> fix commited now? I will merge or sync webkitgtk in the next days which
> should pull it to main and I will promote once uploaded

"In progress" until we can see it in component mismatches.
"Fix committed" then
and once promoted "Fix released"

Since you can promote it yourself it might be a direct jump to the
latter on that day.
See https://wiki.ubuntu.com/MainInclusionProcess?action=show&redirect=MIRTeam#Process_states

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2021-05-18:

#13

It is in component mismatches as of today.

Changed in libmanette (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Didier Roche-Tolomelli (didrocks) wrote on 2021-05-18:

#14

Override component to main
libmanette 0.2.6-2 in impish: universe/misc -> main
gir1.2-manette-0.2 0.2.6-2 in impish amd64: universe/introspection/optional/100% -> main
gir1.2-manette-0.2 0.2.6-2 in impish arm64: universe/introspection/optional/100% -> main
gir1.2-manette-0.2 0.2.6-2 in impish armhf: universe/introspection/optional/100% -> main
gir1.2-manette-0.2 0.2.6-2 in impish ppc64el: universe/introspection/optional/100% -> main
gir1.2-manette-0.2 0.2.6-2 in impish riscv64: universe/introspection/optional/100% -> main
gir1.2-manette-0.2 0.2.6-2 in impish s390x: universe/introspection/optional/100% -> main
libmanette-0.2-0 0.2.6-2 in impish amd64: universe/libs/optional/100% -> main
libmanette-0.2-0 0.2.6-2 in impish arm64: universe/libs/optional/100% -> main
libmanette-0.2-0 0.2.6-2 in impish armhf: universe/libs/optional/100% -> main
libmanette-0.2-0 0.2.6-2 in impish ppc64el: universe/libs/optional/100% -> main
libmanette-0.2-0 0.2.6-2 in impish riscv64: universe/libs/optional/100% -> main
libmanette-0.2-0 0.2.6-2 in impish s390x: universe/libs/optional/100% -> main
libmanette-0.2-dev 0.2.6-2 in impish amd64: universe/libdevel/optional/100% -> main
libmanette-0.2-dev 0.2.6-2 in impish arm64: universe/libdevel/optional/100% -> main
libmanette-0.2-dev 0.2.6-2 in impish armhf: universe/libdevel/optional/100% -> main
libmanette-0.2-dev 0.2.6-2 in impish ppc64el: universe/libdevel/optional/100% -> main
libmanette-0.2-dev 0.2.6-2 in impish riscv64: universe/libdevel/optional/100% -> main
libmanette-0.2-dev 0.2.6-2 in impish s390x: universe/libdevel/optional/100% -> main
Override [y|N]? y
19 publications overridden.

Changed in libmanette (Ubuntu):
status:	Fix Committed → Fix Released

Ubuntu
libmanette package

[MIR] libmanette

Bug Description

Other bug subscribers

Remote bug watches

Ubuntulibmanette package

[MIR] libmanette

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
libmanette package