[MIR] libsoup3

Bug #1972153 reported by Didier Roche-Tolomelli
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libsoup3 (Ubuntu)
Fix Released

Bug Description

Already in Ubuntu universe.
Builds and works for all supported architectures including i386

GNOME is switching to libsoup3. This has been delayed a few releases but I suspect it will be more mandatory for GNOME 43 or GNOME 44.
- gnome-bluetooth3 is a new runtime dependency of package gnome-shell that
we already support

libsoup3 is requested in Ubuntu main no longer than August 4 to allow time for reverse dependencies to be switched before 22.10 Feature Freeze August 25.

- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libsoup
- https://ubuntu.com/security/cve?package=libsoup2.4
- https://security-tracker.debian.org/tracker/source-package/libsoup2.4

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Package does not open privileged ports (ports < 1024)
- debian/rules builds with all standard hardening flags

This is a security-sensitive library that allows apps to access data over the Internet.

[Quality assurance - function/usage]
The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libsoup3
- Ubuntu older series https://bugs.launchpad.net/ubuntu/+source/libsoup2.4
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsoup3
- Debian older series https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libsoup2.4
- GNOME https://gitlab.gnome.org/GNOME/libsoup/-/issues
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- Runs a test suite on build time, if it fails it makes the build fail, link to build log:

- Includes autopkgtests, both a basic superficial test and an installed-tests suite

[Quality assurance - packaging]
- debian/watch is present and works

- Does not yield massive lintian Warnings or Errors
- Lintian overrides are not present

- Des not rely on obsolete or about to be demoted packages.
- Has no python2 or GTK2 dependencies

- Does not ask debconf questions

- Packaging and build is easy:

[UI standards]

- No dependencies not already in main
- libsoup-3.0-dev has been added to the Extra-Exclude list to keep its sysprof dependency out of main for now

[Standards compliance]
- This package correctly follows FHS and Debian Policy

- Owning Team will be Ubuntu Desktop (Co-maintained with Debian GNOME team.)
- Team is not yet, but will subscribe to the package before promotion

- This does not use static builds
- This does not use vendored code

[Background information]
The Ubuntu Desktop Team expects that it will be necessary to keep both libsoup2.4 and libsoup3 in main for Ubuntu 22.10.

This is a big and complicated transition. Apps will crash if they are linked against both libraries.

Upstream progress tracker:

Migration hints:

Fedora announcement:
https://<email address hidden>/thread/JAQJ5WJQ6U6IZ3BZAZ5AM3VMMQCNOA7G/


Estimated 30 affected source packages in main (some are libraries so true affected count is higher):

Tags: kinetic
Revision history for this message
Sebastien Bacher (seb128) wrote :

The library doesn't require sysprof if I'm reading things correctly, so it probably means we could move the -dev to universe as we did recently for other components.

Jeremy, I'm assigning to you since you did those updates

Changed in libsoup3 (Ubuntu):
assignee: Sebastien Bacher (seb128) → Jeremy Bicha (jbicha)
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

15:08:34 jbicha | didrocks: oh I added libsoup-3.0-dev to Extra-Exclude last week
15:09:48 jbicha | so sysprof wouldn't be pulled in to main currently

Changed in libsoup3 (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

16:28:42 seb128 | didrocks, it probably requires discussion because jbicha said he doesn't believe we will be able to demote libsoup2, so it means we are asking to have 2 versions in main
16:28:55 seb128 | so we should probably focus the MIR on that aspect

reopening then so that we can focus the MIR on it.

Changed in libsoup3 (Ubuntu):
status: Fix Released → Incomplete
Jeremy Bicha (jbicha)
description: updated
Changed in libsoup3 (Ubuntu):
assignee: Jeremy Bicha (jbicha) → nobody
Jeremy Bicha (jbicha)
Changed in libsoup3 (Ubuntu):
status: Incomplete → Confirmed
Jeremy Bicha (jbicha)
description: updated
Changed in libsoup3 (Ubuntu):
status: Confirmed → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libsoup3 (Ubuntu):
status: New → Confirmed
Changed in libsoup3 (Ubuntu):
assignee: nobody → Didier Roche (didrocks)
Revision history for this message
Sebastien Bacher (seb128) wrote :

GNOME wrote on their ticket

> For GNOME 43 we are trying to finish core stuff that depends on WebKit, so you don't have to build three different versions of WebKit.

If that's true we might be able to move the old libsoup2.4 in universe this cycle. Those are complex changes though and we would like to request the MIR team to consider accepting the promotion even if there is a chance the transition takes one extra cycle before being complete. The alternatives would be to hold on updating GNOME components again or stack reverts, which we would really like to avoid doing.

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

I haven’t done a full review from scratch as this is a soname bump, but seeing the upstream and packaging changes since the bump, this looks good to me.

I’m going to bring that in the MIR team meeting (in particular security) about maintaining potentially 2 libsoup versions in main for one release. Let’s see how it goes and I’ll keep you posted.

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

So, after the MIR team meeting, this is a MIR team ACK.
There are some concerns from security that there is no rollback plan in case the transition is not over for the next LTS. However, it seems there are enough time and interim releases for this to be completed beforehand.

Trust is given to the desktop team to track that and act on it in in case the transition is not fully done before the next LTS.

Changed in libsoup3 (Ubuntu):
status: Confirmed → Fix Committed
assignee: Didier Roche (didrocks) → nobody
Jeremy Bicha (jbicha)
description: updated
Revision history for this message
Sebastien Bacher (seb128) wrote :

libsoup3 3.0.6-1 in kinetic: universe/misc -> main
Override [y|N]? y
1 publication overridden.

Changed in libsoup3 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers