[MIR] lua5.4

Bug #2026608 reported by Lena Voytek
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lua5.4 (Ubuntu)
Fix Released
Undecided
Lena Voytek

Bug Description

This MIR will allow packages in main to migrate from depending on lua5.3 to lua5.4. Since lua5.3 doesn't have an MIR bug listed I created this as a new one.

[Availability]
The package lua5.4 is already in Ubuntu universe.
The package lua5.4 build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/lua5.4

[Rationale]
- The package lua5.4 is required in Ubuntu main for migrating our standard version of lua from 5.3 to 5.4
- The package lua5.4 will generally be useful for a large part of our user base
- Additionally multiple packages will no longer need forced compatibility with lua5.3

- There is no other/better way to solve this that is already in main or should go universe->main instead of this.

- The package lua5.4 is required in Ubuntu main no later than the release of mantic to make it our main supported version in 23.10

[Security]
- Had 13 security issues in the past
- links to such security issues in trackers
  - https://ubuntu.com/security/cves?package=lua5.4
  - https://security-tracker.debian.org/tracker/source-package/lua5.4
- Issues often fixed quickly by upstream

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/lua5.4/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=lua5.4
- Upstream's bug tracker - https://www.lua.org/bugs.html
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package does not run a full test suite at build time as one is not provided upstream

- The package does not run any autopkgtests, but it would be useful to add some. There is a bug from lua5.2 that notes this - https://bugs.launchpad.net/ubuntu/+source/lua5.2/+bug/1679332. If needed I can work on this as a part of this MIR

[Quality assurance - packaging]
- debian/watch is present and works

- debian/control defines a correct Maintainer field (Currently Debian Lua Team)

- This package does not yield massive lintian Warnings, Errors
- Link to a recent build log of the package https://launchpadlibrarian.net/613445220/buildlog_ubuntu-kinetic-amd64.lua5.4_5.4.4-3_BUILDING.txt.gz

- Full output from `lintian --pedantic`:
P: lua5.4 source: insecure-copyright-format-uri http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ [debian/copyright]
P: lua5.4 source: package-uses-old-debhelper-compat-version 12
P: lua5.4 source: silent-on-rules-requiring-root [debian/control]
P: lua5.4 source: trailing-whitespace debian/control (line 70)
P: lua5.4 source: uses-debhelper-compat-file [debian/compat]

- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will not be installed by default

- Packaging and build is easy, although there are a large number of commands in override_dh_auto_install, link to debian/rules https://git.launchpad.net/ubuntu/+source/lua5.4/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation) (other than lua shell, but this has limited text)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- Owning Team will be Ubuntu Server
- Team is not yet, but will subscribe to the package before promotion

- This does not use static builds

- This does not use vendored code

- This package is not rust based

- The package successfully built during the most recent test rebuild

[Background information]
The Package description explains the package well
Upstream Name is lua
https://www.lua.org/source/5.4/

Related branches

Lena Voytek (lvoytek)
description: updated
Changed in lua5.4 (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote :
Download full text (6.8 KiB)

Review for Source Package: lua5.4

[Summary]
The lua5.4 package is supposed to replace the existing lua5.3 package in main.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: lua5.4, liblua5.4-0
Specific binary packages built, but NOT to be promoted to main: None

Notes:
#0: I feel like this is mostly fine from a security POV, especially as lua5.3
is already covered by Ubuntu's security team. Still assigning ubunut-security
for a spot check (for lua interperter parsing code), feel free to just pass it
through.

Required TODOs:
#1: Please outline the migration plan for lua5.3 -> lua5.4.
    Will it all be done in the Mantic cylce? When can we expect to demote 5.3?
#2: does not have a non-trivial test suite that runs as autopkgtest
#3a: does not have a test suite that runs at build time
#3b: test suite fails will not fail the build upon error.
> dh_auto_test
> make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)
#4: symbols tracking is not in place, is there a specific reason for that?
#5: the current release is not packaged (current: 5.4.6, lacking 1.5 years behind)
#6: debian/rules does lots of stuff, not very clean.
    Generally, I feel like the packaging could need some love, see #7 / #8

Recommended TODOs:
#7: Lintian report:
I: lua5.4 source: debian-control-has-obsolete-dbg-package
I: liblua5.4-0: hardening-no-bindnow
I: liblua5.4-0: no-symbols-control-file
I: lua5.4 source: out-of-date-standards-version 4.5.0
P: liblua5.4-dev: maintainer-script-without-set-e
P: lua5.4 source: package-uses-old-debhelper-compat-version 12
P: lua5.4 source: silent-on-rules-requiring-root
P: lua5.4 source: uses-debhelper-compat-file
#8a: important bugs:
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842456
#8b: deprecation warning during build:
> configure.ac:3: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
> configure.ac:3: You should run autoupdate.
> aclocal.m4:114: AC_PROG_LIBTOOL is expanded from...
> configure.ac:3: the top level
#9: The package should get a team bug subscriber before being promoted

[Duplication]
There is no other package in main providing the same functionality.
This is a version bump MIR lua5.3 -> lua5.4. lua5.3 is supposed to be demoted
once dependencies migrated to lua5.4:
$ reverse-depends src:lua5.3 -c main -r mantic
Reverse-Depends
===============
* apache2-bin (for liblua5.3-0)
* ceph-common [amd64 arm64 armhf ppc64el s390x]
* ceph-mds [amd64 arm64 armhf ppc64el s390x]
* dovecot-core [amd64 arm64 armhf ppc64el s390x]
* grilo-plugins-0.3-base [amd64 arm64 armhf ppc64el s390x]
* haproxy [amd64 arm64 armhf ppc64el s390x]
* ibus-libpinyin [amd64 arm64 armhf ppc64el s390x]
* librgw2 [amd64 arm64 armhf ppc64el s390x]
* libwireplumber-0.4-0 [amd64 arm64 armhf ppc64el s390x]
* radosgw [amd64 arm64 armhf ppc64el s390x]

[Depen...

Read more...

Changed in lua5.4 (Ubuntu):
status: New → Incomplete
assignee: Lukas Märdian (slyon) → Lena Voytek (lvoytek)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

In the 18 July 2023 MIR meeting we decided this just needs a very quick security skim rather than the full experience; please assign to ubuntu-security when the TODOs are handled. Thanks

Revision history for this message
Lena Voytek (lvoytek) wrote :

Hi Lukas, Thanks for looking into this! I've updated the lua5.4 packaging with:
- An update to 5.4.6
- New DEP-8 tests
- A fixed buildtime test
- A symbols file
- and a fix of the deprecation warning during build time

All the above changes have migrated into the main archive for mantic now.

I also built the reverse dependencies in main against lua5.4 in the PPA here: https://launchpad.net/~lvoytek/+archive/ubuntu/lua-mir-update
All packages should be ready to update immediately after the promotion, with the exception of ceph which is currently failing to build using either lua version. So the transition should be able to happen by feature freeze, allowing lua5.3 to be demoted this cycle.

Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

Thank you, LGTM!
MIR team ACK.

#1: Please outline the migration plan for lua5.3 -> lua5.4.
    Will it all be done in the Mantic cylce? When can we expect to demote 5.3?
    [RESOLVED] via comment #3

#2: does not have a non-trivial test suite that runs as autopkgtest
    [RESOLVED]

#3a: does not have a test suite that runs at build time
#3b: test suite fails will not fail the build upon error.
> dh_auto_test
> make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)
    [RESOLVED]

#4: symbols tracking is not in place, is there a specific reason for that?
    [RESOLVED]

#5: the current release is not packaged (current: 5.4.6, lacking 1.5 years behind)
    [RESOLVED]

#6: debian/rules does lots of stuff, not very clean.
    Generally, I feel like the packaging could need some love, see #7 / #8
    [DOWNGRADE] to Recommended TODO, as I think this is manageable

#10: Please work with the Debian maintainer to get the versions back in sync.
     I guess we don't want to diverge on toolchain packages like this.
     [ADDED] as a new Recommended TODO

Changed in lua5.4 (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This was promoted:
 lua5.4 | 5.4.6-0ubuntu2 | mantic | source
 liblua5.4-0 | 5.4.6-0ubuntu2 | mantic | amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

Changed in lua5.4 (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Remaining task, there shouldn't be something holding <5.4 in main

liblua5.1-0 | lua5.1 | slurm-wlm-basic-plugins

liblua5.2-0 | lua5.2 | dnsmasq-base-lua

liblua5.3-0 | lua5.3 | libwireplumber-0.4-0

From: https://ubuntu-archive-team.ubuntu.com/germinate-output/ubuntu.mantic/all+extra

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

False alarm
Just waiting in -proposed

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.