[MIR] speexdsp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
speexdsp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The package speexdsp is already in Ubuntu universe.
The package speexdsp build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https:/
The corresponding case in main as part of speex until Lunar and then split out.
[Rationale]
- The package speexdsp is required in Ubuntu main as a depends of roc-toolkit which we want to MIR as a new pipewire (optional) requirement
- The corresponding plugin will not be used by default in Ubuntu but we still want it available. We could split it to a new binary that would go to universe but then it would need to be manually installed and force us to carry a packaging delta over Debian.
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The package speexdsp is required in Ubuntu main no later than Feb 29 due to the Noble Feature Freeze
[Security]
- No CVEs/security issues in this software in the past (there are 3 existing speex CVE for pre-source-split versions but none of those concern the code which was split into speexdsp)
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
- The package is maintained well in Debian/
no open bug downstream and a few minor ones upstream
- Ubuntu https:/
- Debian https:/
- Upstream's bug tracker, https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because upstream doesn't provide any. Also it's an audio codec implementation so not something easily testable in CI.
- The package has a simple buildtest autopkgtest for the library but can't really be tested in CI for the same reason as build tests.
- Seexdsp is pulled in as a depends of roc-toolkit (MIR bug #2047150) and the codec will be tested also by the roc-toolkit and through pipewire integration (a section has been added to https:/
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer
- This package has no important lintian warnings
# lintian --pedantic speexdsp_
P: speexdsp source: silent-
P: speexdsp source: trailing-whitespace [debian/
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf questions
- Packaging and build is easy, link to debian/rules https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be desktop-packages and I have their acknowledgement for that commitment
- The future owning team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last test rebuild
[Background information]
The Package description explains the package well
Upstream Name is speexdsp
Link to upstream project https:/
CVE References
description: | updated |
Changed in speexdsp (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
description: | updated |
tags: | added: sec-3546 |
I think you are aware that as there is no test and it’s not testable due to the fact that it’s audio file codec (even if one day, a framework for testing this seems to be something that is desirable), we need then some manual testing with every upload as a stop gap solution. Mind providing this? Then, I will review the MIR.