[MIR] lua5.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lua5.4 (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
This MIR will allow packages in main to migrate from depending on lua5.3 to lua5.4. Since lua5.3 doesn't have an MIR bug listed I created this as a new one.
[Availability]
The package lua5.4 is already in Ubuntu universe.
The package lua5.4 build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
Link to package https:/
[Rationale]
- The package lua5.4 is required in Ubuntu main for migrating our standard version of lua from 5.3 to 5.4
- The package lua5.4 will generally be useful for a large part of our user base
- Additionally multiple packages will no longer need forced compatibility with lua5.3
- There is no other/better way to solve this that is already in main or should go universe->main instead of this.
- The package lua5.4 is required in Ubuntu main no later than the release of mantic to make it our main supported version in 23.10
[Security]
- Had 13 security issues in the past
- links to such security issues in trackers
- https:/
- https:/
- Issues often fixed quickly by upstream
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/
- Ubuntu https:/
- Debian https:/
- Upstream's bug tracker - https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a full test suite at build time as one is not provided upstream
- The package does not run any autopkgtests, but it would be useful to add some. There is a bug from lua5.2 that notes this - https:/
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field (Currently Debian Lua Team)
- This package does not yield massive lintian Warnings, Errors
- Link to a recent build log of the package https:/
- Full output from `lintian --pedantic`:
P: lua5.4 source: insecure-
P: lua5.4 source: package-
P: lua5.4 source: silent-
P: lua5.4 source: trailing-whitespace debian/control (line 70)
P: lua5.4 source: uses-debhelper-
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, although there are a large number of commands in override_
[UI standards]
- Application is not end-user facing (does not need translation) (other than lua shell, but this has limited text)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Ubuntu Server
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is lua
https:/
Related branches
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 315 lines (+199/-9)3 files modifieddebian/changelog (+194/-0)
debian/control (+3/-4)
debian/rules (+2/-5)
description: | updated |
Changed in lua5.4 (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
Review for Source Package: lua5.4
[Summary]
The lua5.4 package is supposed to replace the existing lua5.3 package in main.
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: lua5.4, liblua5.4-0
Specific binary packages built, but NOT to be promoted to main: None
Notes:
#0: I feel like this is mostly fine from a security POV, especially as lua5.3
is already covered by Ubuntu's security team. Still assigning ubunut-security
for a spot check (for lua interperter parsing code), feel free to just pass it
through.
Required TODOs: >>/src'
#1: Please outline the migration plan for lua5.3 -> lua5.4.
Will it all be done in the Mantic cylce? When can we expect to demote 5.3?
#2: does not have a non-trivial test suite that runs as autopkgtest
#3a: does not have a test suite that runs at build time
#3b: test suite fails will not fail the build upon error.
> dh_auto_test
> make -j4 test
> make[1]: Entering directory '/<<PKGBUILDDIR>>'
> make[2]: Entering directory '/<<PKGBUILDDIR
> mode=execute -dlopen ./liblua5.4.la ./lua5.4 -v
> /bin/sh: 1: -dlopen: not found
> make[2]: [Makefile:92: test] Error 127 (ignored)
#4: symbols tracking is not in place, is there a specific reason for that?
#5: the current release is not packaged (current: 5.4.6, lacking 1.5 years behind)
#6: debian/rules does lots of stuff, not very clean.
Generally, I feel like the packaging could need some love, see #7 / #8
Recommended TODOs: control- has-obsolete- dbg-package no-bindnow control- file date-standards- version 4.5.0 script- without- set-e uses-old- debhelper- compat- version 12 on-rules- requiring- root compat- file /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 842456
#7: Lintian report:
I: lua5.4 source: debian-
I: liblua5.4-0: hardening-
I: liblua5.4-0: no-symbols-
I: lua5.4 source: out-of-
P: liblua5.4-dev: maintainer-
P: lua5.4 source: package-
P: lua5.4 source: silent-
P: lua5.4 source: uses-debhelper-
#8a: important bugs:
* https:/
#8b: deprecation warning during build:
> configure.ac:3: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
> configure.ac:3: You should run autoupdate.
> aclocal.m4:114: AC_PROG_LIBTOOL is expanded from...
> configure.ac:3: the top level
#9: The package should get a team bug subscriber before being promoted
[Duplication] 0.3-base [amd64 arm64 armhf ppc64el s390x] 0.4-0 [amd64 arm64 armhf ppc64el s390x]
There is no other package in main providing the same functionality.
This is a version bump MIR lua5.3 -> lua5.4. lua5.3 is supposed to be demoted
once dependencies migrated to lua5.4:
$ reverse-depends src:lua5.3 -c main -r mantic
Reverse-Depends
===============
* apache2-bin (for liblua5.3-0)
* ceph-common [amd64 arm64 armhf ppc64el s390x]
* ceph-mds [amd64 arm64 armhf ppc64el s390x]
* dovecot-core [amd64 arm64 armhf ppc64el s390x]
* grilo-plugins-
* haproxy [amd64 arm64 armhf ppc64el s390x]
* ibus-libpinyin [amd64 arm64 armhf ppc64el s390x]
* librgw2 [amd64 arm64 armhf ppc64el s390x]
* libwireplumber-
* radosgw [amd64 arm64 armhf ppc64el s390x]
[Depen...