[MIR] libportal

Bug #1932485 reported by Sebastien Bacher
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libportal (Ubuntu)
Fix Released

Bug Description

* Availability

Built for all supported architectures. In sync with Debian.

* Rationale

It's a new optional depends of nautilus which uses it to access the xdg portal to set the background in a desktop neutral way.

The binary needed in main is the library, libportal0.

* Security

No known security issues


* Quality assurance

- The desktop-packages team is going to be subscribed

- No downstream open reports and upstream list seems in shape

There is current no build time tests but xdg-desktop-portal autopkgtests are covering libportal so should help us to catch potential regressions.

The package provides a trivial build and start autopkgtest.

* Dependencies

The dependencies are in main
 Depends: libc6 (>= 2.4), libglib2.0-0 (>= 2.58)

* Standards compliance

Use current Standards-Version and dh12

* Maintenance

The Debian maintainer is active, the package is in sync, the Desktop Team is going to maintain it in Ubuntu

description: updated
Changed in libportal (Ubuntu):
importance: Undecided → Low
Changed in libportal (Ubuntu):
assignee: nobody → Didier Roche (didrocks)
Revision history for this message
Jeremy Bicha (jbicha) wrote :

The API stability question was answered sufficiently for the Debian maintainer to release his package to Debian unstable/testing.

The discussion was at https://github.com/flatpak/libportal/issues/33

Revision history for this message
Sebastien Bacher (seb128) wrote (last edit ):

I've updated the description to remove the ABI stability question now that it has been resolved, upstream said they would bump the soname as needed, which means the request should be ready for review now

description: updated
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

There are some digging to be done around tests, especially due to the ABI instability. Can we use the -test package for integration tests for instance?
Then, I’m happy to give a +1 from the MIR team. I don’t think security review is really needed here, as the security part is done on the callee side, and this is the caller one.

Required TODO:
- Investigating if we can expand the autopkgtests testsuite to be non trivial (including the -test package and do an API call).

Recommended TODO:
One copyright owner is missing:
libportal/portal-qt5.h: GNU Library General Public License v2 or later
  [Copyright: 2020 Jan Grulich]

There is no other package in main providing the same functionality.

- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
- no embedded source present
- no static linking

- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
- does not FTBFS currently
- no special HW does prevent build/autopkgtest.
- no translation present, but none needed for this case
- not a python/go package, no extra constraints to consider in that regard

- does not have a test suite that runs at build time. There are some autopkgtests though. This may be due to dbus-run-session? Could we inspect if we can have some tests running at build-time already?
- does have a trivial test suite that runs as autopkgtest. There is a -test package that is not used. Could we investigate on how we can exercise this code if possible? That would remove the need to rely on the other package to exercise the test via rdepends.

[Packaging red flags]
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in libportal (Ubuntu):
assignee: Didier Roche (didrocks) → nobody
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

The tests situation was discussed a bit on https://irclogs.ubuntu.com/2021/06/18/%23ubuntu-desktop.html

Basically xdg-desktop-portal tests, once built using libportal, are covering libportal and provided as autopkgtests so they should prevent us from migrating a buggy update.

Would that be enough to address the concern raised in the review?

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

For me, that would be sufficient.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks, let's do that at the opening of next cycle then!

Revision history for this message
Sebastien Bacher (seb128) wrote :

Reopening now for the new cycle, we could like to see that one promoted. Upstream agreed on updating the soname as needed so that concern is resolved, as discussed in the previous posts the testing should be assured by the xdg-desktop-portal autopkgtests which will gate updates.

Changed in libportal (Ubuntu):
status: Incomplete → New
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

This is fine with me with the recent discussions after a new quick check, approving from MIR team perspective.

Changed in libportal (Ubuntu):
status: New → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

xdg-desktop-portal with libportal enabled has been synced from Debian now

Revision history for this message
Sebastien Bacher (seb128) wrote :

libportal 0.6-2 in kinetic: universe/misc -> main
Override [y|N]? y
1 publication overridden.

Changed in libportal (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.