Comment 0 for bug 1934510

Please promote the following binary package built from src:fuse3 to main:

  - libfuse3-3
  - libfuse3-dev

[Availability]

The inclusion of fuse3 in Ubuntu is fairly recent, first being imported in Focal as a sync from Debian, however its predecessor src:fuse from the same upstream (libfuse [1]) has been packaged in Debian since 2002, it's already in main and has been in Ubuntu forever.

The upstream project is "the reference implementation of the Linux FUSE (Filesystem in Userspace) interface" [1] , and can be fully trusted to keep maintaining the package in the foreseeable future.

fuse3 is currently a sync from Debian in Focal, Groovy, Hirsute and Impish.

[Rationale]

QEMU 6.0 added support for FUSE block exports, which allow mounting the guest view of any QEMU block device node as a host file. Debian enable this feature in src:qemu 1:6.0+dfsg-1~exp0 [34], currently in experimental, by adding a new build-dep on libfuse3-dev [4]. We want to bring this support to Ubuntu when merging qemu 6.0 from Debian, and therefore we need to MIR bin:libfuse3-dev and its runtime counterpart bin:libfuse3-3.

[Security]

The package is a library and won't add daemons, setuid binaries, or anything requiring authentication. (This is contrast with the bin:fuse3 package which ships a setuid binary, but which is not part of this MIR.)

The upstream README at [1] has a "Security implications" section which only deals with fuse3, no warning is raised regarding the library.

Given the popularity of the project we can assume that Linus' law applies [5].

[Quality assurance]

There are 0 open bugs in Ubuntu against src:fuse3.

In Debian there are a few bugs against bin:fuse3, including a Serious (=> RC) bug, currently tagged "bullseye-ignore", but considered valid. The bin:fuse3 package is not part of this MIR. (It is likely that we'll want to also MIR bin:fuse3 at some point, and I considered doing so as part of this MIR, but it is more sensible to wait for that RC bug to be fixed before proceeding.)

There are no noteworthy Debian bugs against src:fuse3 or any bin: package part of this MIR.

[Dependencies]

libfuse3-3: libc6 [ok]
libfuse3-dev: libfuse3-3, libselinux-dev [ok]
fuse3: libc6, libfuse3-3, adduser, mount, sed, lsb-base [ok]

[Standards compliance]

$ lintian fuse3_3.10.3-2.dsc
N: 2 hints overridden (2 errors)

The two overridden errors are "source-is-missing" errors for Javascript files which are not used or installed by any binary package:

source-is-missing doc/html/jquery.js line length is 32401 characters (>512)
source-is-missing doc/html/menu.js line length is 695 characters (>512)

The second source-is-missing errors looks like a false positive to me (the JS is not minimized). Avoiding the override would require a +dfsg repacked source, with the extra maintenance it requires. I agree with the overrides in this case.

[Maintenance]
=============

The Server Team will maintain the package.

--

[1] https://github.com/libfuse/libfuse
[2] https://wiki.qemu.org/ChangeLog/6.0
[3] https://metadata.ftp-master.debian.org/changelogs//main/q/qemu/qemu_6.0+dfsg-1~exp0_changelog
[4] https://salsa.debian.org/qemu-team/qemu/-/commit/9fdcf4181e1c8120e6b7c9059209656469bf499b
[5] https://en.wikipedia.org/wiki/Linus%27s_law
[6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984