Ubuntu
libdisplay-info package

[MIR] libdisplay-info

Bug #2071396 reported by Jeremy Bícha on 2024-06-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	libdisplay-info (Ubuntu)	Incomplete	Undecided	Jeremy Bícha

Bug Description

[Availability]
The package libdisplay-info is already in Ubuntu universe.
The package libdisplay-info build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures except for i386 where it isn't needed
Link to package https://launchpad.net/ubuntu/+source/libdisplay-info

[Rationale]
- The package libdisplay-info is required in Ubuntu main as a build and runtime dependency of mutter. It is an optional dependency for mutter 46 but is expected to be a required dependency for mutter 47 (Ubuntu 24.10 will include mutter 47).
https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/3602

- The package libdisplay-info will generally be useful for a large part of our user base
- The binary package libdisplay-info needs to be in main for mutter to more effectively parse computer monitor display capabilities via the EDID protocol

- The package libdisplay-info is required in Ubuntu main no later than August 15 due to Ubuntu 24.10 Feature Freeze

[Security]
- No CVEs/security issues in this software in the past
- https://ubuntu.com/security/cve?package=libdisplay-info
- https://security-tracker.debian.org/tracker/source-package/libdisplay-info

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages do not install services, timers or recurring jobs
- Packages do not open privileged ports (ports < 1024).
- Packages do not expose any external endpoints
- Packages do not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libdisplay-info
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libdisplay-info
- Upstream's bug tracker https://gitlab.freedesktop.org/emersion/libdisplay-info/-/issues

- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/libdisplay-info/0.1.1-2ubuntu2

- The package runs an autopkgtest, and is currently passing on all architectures (not run on i386)
https://autopkgtest.ubuntu.com/packages/libdisplay-info

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field

- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions

- Packaging and build is easy, link to debian/rules
https://salsa.debian.org/debian/libdisplay-info/-/blob/master/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation or .desktop file)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Ubuntu Desktop (~desktop-packages) and I have their acknowledgement for that commitment

- This does not use static builds
- This does not use vendored code
- This package is not rust based

- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/libdisplay-info/0.1.1-2ubuntu2

[Background information]
- The Package description explains the package well
- Upstream Name is libdisplay-info
- Link to upstream project https://gitlab.freedesktop.org/emersion/libdisplay-info

An additional binary packages has no reverse dependencies and can remain in universe:
libdisplay-info-bin

We intend to update libdisplay-info to 0.2 later in the cycle; it is a transition and needs to be coordinated.

See original description

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2024-06-28:

W: libdisplay-info-bin: no-manual-page [usr/bin/di-edid-decode]

(We aren't promoting libdisplay-info-bin to main)

Jeremy Bícha (jbicha) on 2024-06-28

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-07-01:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libdisplay-info (Ubuntu):
status:	New → Confirmed

Christian Ehrhardt  (paelzer) on 2024-07-02

Changed in libdisplay-info (Ubuntu):
assignee:	nobody → Lukas Märdian (slyon)

Revision history for this message

Lukas Märdian (slyon) wrote on 2024-07-09:

Download full text (6.2 KiB)

Review for Source Package: libdisplay-info

[Summary]
libdisplay-info is still a relatively young project (with only 3 releases so
far), but seems to be well documented and tested (e.g. parser fuzzing). It can
be used for parsing & decoding EDID display data into human readable format.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: libdisplay-info1
Specific binary packages built, but NOT to be promoted to main: libdisplay-info-bin

Notes:
#0 - The library parses EDID data, but commonly from trusted sources (kernel, sysfs).
     It looks well tested & fuzzed, so IMO we don't need security review here.
#1 - The project is still young, with only 3 releases so far and sporadic packaging updates.
     Upstream states "The public API is not yet stable." – The desktop team still wants to
     take it as a dependency, handle any changes necessary due to unstable API and help with
     maintenance.

Required TODOs:
#2 - the current release is not packaged: We have v0.2.0 as of mid-June

Recommended TODOs:
#3 - The package should get a team bug subscriber before being promoted
#4 - does have a non-trivial test suite that runs as autopkgtest
=> simply re-running build-time tests, consider testing against the pre-built binaries
#5 - Ubuntu does carry a delta
=> try upstreaming the tests, debian/watch and debhelper changes
#6 - Upstream & Debian/Ubuntu update history is sporadic consider helping with maintenance, see #1
#7 - Warnings during build, consider helping to fix some of them:
../gtf.c:116:12: warning: ‘pixel_freq’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:114:40: warning: ‘h_blank_pixels’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:113:44: warning: ‘total_pixels’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:112:22: warning: ‘v_sync_bp’ may be used uninitialized [-Wmaybe-uninitialized]
../di-edid-decode/edid.c:500:51: warning: ‘hratio’ may be used uninitialized [-Wmaybe-uninitialized]
../di-edid-decode/edid.c:500:61: warning: ‘vratio’ may be used uninitialized [-Wmaybe-uninitialized]

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
=> Some provide similar functionality, but not in "main":
$ rmadison -c main {edid-decode,libparse-edid-perl,read-edid,wxedid}
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does ...

Review for Source Package: libdisplay-info

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: libdisplay-info1
Specific binary packages built, but NOT to be promoted to main: libdisplay-info-bin

Required TODOs:
#2 - the current release is not packaged: We have v0.2.0 as of mid-June

Recommended TODOs:
#3 - The package should get a team bug subscriber before being promoted
#4 - does have a non-trivial test suite that runs as autopkgtest
   => simply re-running build-time tests, consider testing against the pre-built binaries
#5 - Ubuntu does carry a delta
   => try upstreaming the tests, debian/watch and debhelper changes
#6 - Upstream & Debian/Ubuntu update history is sporadic consider helping with maintenance, see #1
#7 - Warnings during build, consider helping to fix some of them:
../gtf.c:116:12: warning: ‘pixel_freq’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:114:40: warning: ‘h_blank_pixels’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:113:44: warning: ‘total_pixels’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:112:22: warning: ‘v_sync_bp’ may be used uninitialized [-Wmaybe-uninitialized]
../di-edid-decode/edid.c:500:51: warning: ‘hratio’ may be used uninitialized [-Wmaybe-uninitialized]
../di-edid-decode/edid.c:500:61: warning: ‘vratio’ may be used uninitialized [-Wmaybe-uninitialized]

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
  => Some provide similar functionality, but not in "main":
     $ rmadison -c main {edid-decode,libparse-edid-perl,read-edid,wxedid}
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (parser fuzzing)

Problems:
- parses data formats (e.g. EDID structures) from an trusted source.
  => usually from trusted kernel data, e.g. /sys/class/drm/card1-HDMI-A-1/edid,
     but can also take random files as an input

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does have a non-trivial test suite that runs as autopkgtest
  => simply re-running build-time tests, consider testing against the pre-built binaries

[Packaging red flags]
OK:

- symbols tracking is in place.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems:
- Ubuntu does carry a delta
  => try upstreaming the tests and debhelper changes
- the current release is not packaged: We have v0.2.0 as of mid-June
- Upstream update history is sporadic (only 3 releases so far, new project)
- Debian/Ubuntu update history is sporadic

[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems:
- Warnings during build:
../gtf.c:116:12: warning: ‘pixel_freq’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:114:40: warning: ‘h_blank_pixels’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:113:44: warning: ‘total_pixels’ may be used uninitialized [-Wmaybe-uninitialized]
../gtf.c:112:22: warning: ‘v_sync_bp’ may be used uninitialized [-Wmaybe-uninitialized]
../di-edid-decode/edid.c:500:51: warning: ‘hratio’ may be used uninitialized [-Wmaybe-uninitialized]
../di-edid-decode/edid.c:500:61: warning: ‘vratio’ may be used uninitialized [-Wmaybe-uninitialized]

Changed in libdisplay-info (Ubuntu):
assignee:	Lukas Märdian (slyon) → Jeremy Bícha (jbicha)
status:	Confirmed → Incomplete

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2024-07-12:

FTR, both bug 2066080 and bug 2063147 are dependent on this.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulibdisplay-info package

[MIR] libdisplay-info

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
libdisplay-info package