Activity log for bug #1942394

Date Who What changed Old value New value Message
2021-09-02 06:12:24 Christian Ehrhardt  bug added bug
2021-09-02 06:12:32 Christian Ehrhardt  mdevctl (Ubuntu): status New Incomplete
2021-09-02 06:15:26 Christian Ehrhardt  description Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 This worked fine in Debian => https://launchpad.net/debian/+source/mdevctl/1.0.0-1 But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper. IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies. I'll start the discussion internally ... This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is. Right now it is *intentionally* incomplete and has no full MIR template here. This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 This worked fine in Debian => https://launchpad.net/debian/+source/mdevctl/1.0.0-1 But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper. IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies. I'll start the discussion internally ... This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is. Right now it is *intentionally* incomplete and has no full MIR template here.
2021-09-02 06:42:06 Christian Ehrhardt  bug added subscriber Ubuntu Package Archive Administrators
2021-09-02 06:42:14 Christian Ehrhardt  bug added subscriber MIR approval team
2021-09-02 06:46:31 Christian Ehrhardt  bug watch added https://github.com/mdevctl/mdevctl/issues/44
2021-09-02 06:46:31 Christian Ehrhardt  bug task added mdevctl
2021-09-02 06:47:00 Christian Ehrhardt  attachment added Diff to sync-blacklist.txt to block mdevctl https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug/1942394/+attachment/5522470/+files/block-mdevctl-auto-sync.diff
2021-09-07 10:02:31 Christian Ehrhardt  attachment added build log using dh-cargo to generate X-Cargo-Built-Using https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug/1942394/+attachment/5523441/+files/mdevctl_1.0.0-2_amd64.build
2022-04-03 21:12:35 Bug Watch Updater mdevctl: status Unknown Fix Released
2022-05-24 23:33:37 Bryce Harrington tags needs-sync
2022-05-24 23:33:42 Bryce Harrington mdevctl (Ubuntu): milestone ubuntu-22.06
2022-05-25 00:05:47 Bryce Harrington tags needs-sync needs-sync packaging
2022-06-10 14:42:25 Athos Ribeiro mdevctl (Ubuntu): assignee Athos Ribeiro (athos-ribeiro)
2022-07-12 13:52:56 Athos Ribeiro description This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 This worked fine in Debian => https://launchpad.net/debian/+source/mdevctl/1.0.0-1 But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper. IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies. I'll start the discussion internally ... This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is. Right now it is *intentionally* incomplete and has no full MIR template here. This template uses the new proposed format that covers Rust packages, submitted through https://github.com/canonical/ubuntu-mir/pull/1 [Availability] The package mdevctl is already in main via LP: #1889248, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 The latest version of mdevctl available in Debian unstable was changed to adapt to the MIR rules, as proposed in https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351. The package builds and works for all supported architectures, and is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages. The original (shell based) package is available at https://launchpad.net/ubuntu/+source/mdevctl. [Rationale] This has 3 reasons: 1. it is a very nice tool to handle meidiated devices in general. It more and more becomes the one tool people refer to (other than fully manual working through sysfs) 2. it is a Recomments for libvirt-daemon-system, which is in main. 3. the previous (shell based) version of the package is already in main. It would be great to have mdevctl in Ubuntu main for kinetic, to avoid more gaps between Ubuntu and Debian unstable, which could potentialy hinder the merge processes, but there is no definitive deadline. [Security] No CVEs/security issues in this software in the past; No `suid` or `sgid` binaries; No executables in `/sbin` and `/usr/sbin`; The package does not install services, timers or recurring jobs; The package does not open privileged ports (ports < 1024); and The package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, etc). [Quality assurance - function/usage] The package works well right after install. It is composed of a single binary file, a manpage and documentation. [Quality assurance - maintenance] The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open. Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdevctl At the moment this was written, the only Ubuntu bug open was this MIR one. Debian has 2 open bugs, as described below: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013551 This has been fixed in salsa through https://salsa.debian.org/debian/mdevctl/-/merge_requests/3 and will be available in the next debian release. It is also already included in the proposed merge in the PPA at https://salsa.debian.org/debian/mdevctl/-/merge_requests/3, which is what we intend to upload to Ubuntu once this MIR is accepted. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003777 This is valid, but can be fixed in Debian first and then pushed to Ubuntu. The next upstream version will improve the error message as per https://github.com/mdevctl/mdevctl/commit/1b880042683879db524c0d74b48bfdf533bda996. On top of that, we should ensure that /etc/mdevctl.d/ is part of this package. [Quality assurance - testing] RULE: - The package must include a non-trivial test suite RULE: - it should run at package build and fail the build if broken TODO-A: - The package runs a test suite on build time, if it fails TODO-A: it makes the build fail, link to build log TBD TODO-B: - The package does not run a test at build time because TBD RULE: - The package should, but is not required to, also contain RULE: non-trivial autopkgtest(s). TODO-A: - The package runs an autopkgtest, and is currently passing on TODO-A: this TBD list of architectures, link to test logs TBD TODO-B: - The package does not run an autopkgtest because TBD RULE: - existing but failing tests that shall be handled as "ok to fail" RULE: need to be explained along the test logs below TODO-A: - The package does have not failing autopkgtests right now TODO-B: - The package does have failing autopkgtests tests right now, but since TODO-B: they always failed they are handled as "ignored failure", this is TODO-B: ok because TBD RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial) TODO: - The package can not be tested at build or autopktest time because TBD TODO: to make up for that here TBD is a test plan/automation and example TODO: test TBD (logs/scripts) RULE: - In some cases a solution that is about to be promoted consists of RULE: several very small libraries and one actual application uniting them RULE: to achieve something useful. This is rather common in the go/rust space. RULE: In that case often these micro-libs on their own can and should only RULE: provide low level unit-tests. But more complex autopkgtests make no RULE: sense on that level. Therefore in those cases one might want to test on RULE: the solution level. RULE: - Process wise MIR-requesting teams can ask (on the bug) for this RULE: special case to apply for a given case, which reduces the test RULE: constraints on the micro libraries but in return increases the RULE: requirements for the test of the actual app/solution. RULE: - Since this might promote micro-lib packages to main with less than RULE: the common level of QA any further MIRed program using them will have RULE: to provide the same amount of increased testing. TODO: - This package is minimal and will be tested in a more wide reaching TODO: solution context TBD, details about this testing are here TBD [Quality assurance - packaging] debian/watch is present and works. It levarages the support for Multiple Upstream Tarballs (MUT) to pull in the vendored sources. This process is described in debian/README.source. debian/control defines a correct Maintainer field. This package does not yield massive lintian Warnings, Errors A recent build log of the package is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24120829 A no comprehensive "lintian --pedantic" output (without --no-tag-display-limit) follows: E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore.a E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore_downlevel.a E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_onecore.a E: mdevctl source: unpack-message-for-orig ... use --no-tag-display-limit to see all (or pipe to a file/program) P: mdevctl source: update-debian-copyright 2020 vs 2022 [debian/copyright:10] P: mdevctl source: very-long-line-length-in-source-file vendor/aho-corasick/.cargo-checksum.json line 1 is 2574 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file vendor/ansi_term/.cargo-checksum.json line 1 is 1075 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file vendor/anyhow/.cargo-checksum.json line 1 is 3038 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program) Lintian overrides are not present. This package does not rely on obsolete or about to be demoted packages. This package has no python2 or GTK2 dependencies. The package will not be installed by default. Still, it does not ask debconf questions. Packaging is more complex than avarage due to the source vendoring process, which differs to Debian. This should be ok because debian/README.source clearly describes the process. [UI standards] No end user UI Just a few CLI bits used by admins and parsable output used by tools. [Dependencies] No further depends or recommends dependencies that are not yet in main. Do note that this package includes vendored Rust code. [Standards compliance] This package correctly follows FHS and Debian Policy. Do note that it does include embedded copies of otehr software (vendorized rust code), which is discouraged by https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies. This is done to the current state of the rust stack/support. [Maintenance/Owner] The Server Team is already subscribed to the package and maintains it in Debian and Ubuntu. The Server Team is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM). The Server Team is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). This package uses vendored rust code tracked in Cargo.lock as shipped, in the package (at /usr/share/doc/mdevctl/Cargo.lock.gz - gz compressed), refreshing that code is outlined in debian/README.source This package uses vendored code, refreshing that code is outlined in debian/README.source. This package is rust based and vendors all non language-runtime dependencies. The package was test rebuilt in a PPA, as pointed out above. The latest version of mdevctl available in Debian unstable was changed to adapt to the MIR rules, as proposed in https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351. The package builds and works for all supported architectures, and is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages, where one can check the build logs for all supported architectures. [Background information] The Package description explains the package well: Mediated device management utility for Linux mdevctl is a utility for managing and persisting devices in the mediated device framework of the Linux kernel. Mediated devices are sub-devices of a parent device (ex. a vGPU) which can be dynamically created and potentially used by drivers like vfio-mdev for assignment to virtual machines. Upstream Name is mdevctl, and is available at https://github.com/mdevctl/mdevctl Note that, for the former MIR process, jq and libonig were included in main because mdevctl < 1 depends on those packages. This is no longer true for mdevctl >= 1 and their demotion should be evaluated. [Former Bug Description - NO LONGER PART OF MIR DOCS] This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 This worked fine in Debian => https://launchpad.net/debian/+source/mdevctl/1.0.0-1 But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper. IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies. I'll start the discussion internally ... This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is. Right now it is *intentionally* incomplete and has no full MIR template here.
2022-07-12 14:40:24 Athos Ribeiro description This template uses the new proposed format that covers Rust packages, submitted through https://github.com/canonical/ubuntu-mir/pull/1 [Availability] The package mdevctl is already in main via LP: #1889248, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 The latest version of mdevctl available in Debian unstable was changed to adapt to the MIR rules, as proposed in https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351. The package builds and works for all supported architectures, and is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages. The original (shell based) package is available at https://launchpad.net/ubuntu/+source/mdevctl. [Rationale] This has 3 reasons: 1. it is a very nice tool to handle meidiated devices in general. It more and more becomes the one tool people refer to (other than fully manual working through sysfs) 2. it is a Recomments for libvirt-daemon-system, which is in main. 3. the previous (shell based) version of the package is already in main. It would be great to have mdevctl in Ubuntu main for kinetic, to avoid more gaps between Ubuntu and Debian unstable, which could potentialy hinder the merge processes, but there is no definitive deadline. [Security] No CVEs/security issues in this software in the past; No `suid` or `sgid` binaries; No executables in `/sbin` and `/usr/sbin`; The package does not install services, timers or recurring jobs; The package does not open privileged ports (ports < 1024); and The package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, etc). [Quality assurance - function/usage] The package works well right after install. It is composed of a single binary file, a manpage and documentation. [Quality assurance - maintenance] The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open. Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdevctl At the moment this was written, the only Ubuntu bug open was this MIR one. Debian has 2 open bugs, as described below: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013551 This has been fixed in salsa through https://salsa.debian.org/debian/mdevctl/-/merge_requests/3 and will be available in the next debian release. It is also already included in the proposed merge in the PPA at https://salsa.debian.org/debian/mdevctl/-/merge_requests/3, which is what we intend to upload to Ubuntu once this MIR is accepted. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003777 This is valid, but can be fixed in Debian first and then pushed to Ubuntu. The next upstream version will improve the error message as per https://github.com/mdevctl/mdevctl/commit/1b880042683879db524c0d74b48bfdf533bda996. On top of that, we should ensure that /etc/mdevctl.d/ is part of this package. [Quality assurance - testing] RULE: - The package must include a non-trivial test suite RULE: - it should run at package build and fail the build if broken TODO-A: - The package runs a test suite on build time, if it fails TODO-A: it makes the build fail, link to build log TBD TODO-B: - The package does not run a test at build time because TBD RULE: - The package should, but is not required to, also contain RULE: non-trivial autopkgtest(s). TODO-A: - The package runs an autopkgtest, and is currently passing on TODO-A: this TBD list of architectures, link to test logs TBD TODO-B: - The package does not run an autopkgtest because TBD RULE: - existing but failing tests that shall be handled as "ok to fail" RULE: need to be explained along the test logs below TODO-A: - The package does have not failing autopkgtests right now TODO-B: - The package does have failing autopkgtests tests right now, but since TODO-B: they always failed they are handled as "ignored failure", this is TODO-B: ok because TBD RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial) TODO: - The package can not be tested at build or autopktest time because TBD TODO: to make up for that here TBD is a test plan/automation and example TODO: test TBD (logs/scripts) RULE: - In some cases a solution that is about to be promoted consists of RULE: several very small libraries and one actual application uniting them RULE: to achieve something useful. This is rather common in the go/rust space. RULE: In that case often these micro-libs on their own can and should only RULE: provide low level unit-tests. But more complex autopkgtests make no RULE: sense on that level. Therefore in those cases one might want to test on RULE: the solution level. RULE: - Process wise MIR-requesting teams can ask (on the bug) for this RULE: special case to apply for a given case, which reduces the test RULE: constraints on the micro libraries but in return increases the RULE: requirements for the test of the actual app/solution. RULE: - Since this might promote micro-lib packages to main with less than RULE: the common level of QA any further MIRed program using them will have RULE: to provide the same amount of increased testing. TODO: - This package is minimal and will be tested in a more wide reaching TODO: solution context TBD, details about this testing are here TBD [Quality assurance - packaging] debian/watch is present and works. It levarages the support for Multiple Upstream Tarballs (MUT) to pull in the vendored sources. This process is described in debian/README.source. debian/control defines a correct Maintainer field. This package does not yield massive lintian Warnings, Errors A recent build log of the package is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24120829 A no comprehensive "lintian --pedantic" output (without --no-tag-display-limit) follows: E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore.a E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore_downlevel.a E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_onecore.a E: mdevctl source: unpack-message-for-orig ... use --no-tag-display-limit to see all (or pipe to a file/program) P: mdevctl source: update-debian-copyright 2020 vs 2022 [debian/copyright:10] P: mdevctl source: very-long-line-length-in-source-file vendor/aho-corasick/.cargo-checksum.json line 1 is 2574 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file vendor/ansi_term/.cargo-checksum.json line 1 is 1075 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file vendor/anyhow/.cargo-checksum.json line 1 is 3038 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program) Lintian overrides are not present. This package does not rely on obsolete or about to be demoted packages. This package has no python2 or GTK2 dependencies. The package will not be installed by default. Still, it does not ask debconf questions. Packaging is more complex than avarage due to the source vendoring process, which differs to Debian. This should be ok because debian/README.source clearly describes the process. [UI standards] No end user UI Just a few CLI bits used by admins and parsable output used by tools. [Dependencies] No further depends or recommends dependencies that are not yet in main. Do note that this package includes vendored Rust code. [Standards compliance] This package correctly follows FHS and Debian Policy. Do note that it does include embedded copies of otehr software (vendorized rust code), which is discouraged by https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies. This is done to the current state of the rust stack/support. [Maintenance/Owner] The Server Team is already subscribed to the package and maintains it in Debian and Ubuntu. The Server Team is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM). The Server Team is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). This package uses vendored rust code tracked in Cargo.lock as shipped, in the package (at /usr/share/doc/mdevctl/Cargo.lock.gz - gz compressed), refreshing that code is outlined in debian/README.source This package uses vendored code, refreshing that code is outlined in debian/README.source. This package is rust based and vendors all non language-runtime dependencies. The package was test rebuilt in a PPA, as pointed out above. The latest version of mdevctl available in Debian unstable was changed to adapt to the MIR rules, as proposed in https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351. The package builds and works for all supported architectures, and is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages, where one can check the build logs for all supported architectures. [Background information] The Package description explains the package well: Mediated device management utility for Linux mdevctl is a utility for managing and persisting devices in the mediated device framework of the Linux kernel. Mediated devices are sub-devices of a parent device (ex. a vGPU) which can be dynamically created and potentially used by drivers like vfio-mdev for assignment to virtual machines. Upstream Name is mdevctl, and is available at https://github.com/mdevctl/mdevctl Note that, for the former MIR process, jq and libonig were included in main because mdevctl < 1 depends on those packages. This is no longer true for mdevctl >= 1 and their demotion should be evaluated. [Former Bug Description - NO LONGER PART OF MIR DOCS] This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 This worked fine in Debian => https://launchpad.net/debian/+source/mdevctl/1.0.0-1 But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper. IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies. I'll start the discussion internally ... This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is. Right now it is *intentionally* incomplete and has no full MIR template here. This template uses the new proposed format that covers Rust packages, submitted through https://github.com/canonical/ubuntu-mir/pull/1 [Availability] The package mdevctl is already in main via LP: #1889248, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 The latest version of mdevctl available in Debian unstable was changed to adapt to the MIR rules, as proposed in https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351. The package builds and works for all supported architectures, and is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages. The original (shell based) package is available at https://launchpad.net/ubuntu/+source/mdevctl. [Rationale] This has 3 reasons: 1. it is a very nice tool to handle meidiated devices in general.    It more and more becomes the one tool people refer to (other than fully    manual working through sysfs) 2. it is a Recomments for libvirt-daemon-system, which is in main. 3. the previous (shell based) version of the package is already in main. It would be great to have mdevctl in Ubuntu main for kinetic, to avoid more gaps between Ubuntu and Debian unstable, which could potentialy hinder the merge processes, but there is no definitive deadline. [Security] No CVEs/security issues in this software in the past; No `suid` or `sgid` binaries; No executables in `/sbin` and `/usr/sbin`; The package does not install services, timers or recurring jobs; The package does not open privileged ports (ports < 1024); and The package does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, etc). [Quality assurance - function/usage] The package works well right after install. It is composed of a single binary file, a manpage and documentation. [Quality assurance - maintenance] The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open. Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdevctl At the moment this was written, the only Ubuntu bug open was this MIR one. Debian has 2 open bugs, as described below: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013551 This has been fixed in salsa through https://salsa.debian.org/debian/mdevctl/-/merge_requests/3 and will be available in the next debian release. It is also already included in the proposed merge in the PPA at https://salsa.debian.org/debian/mdevctl/-/merge_requests/3, which is what we intend to upload to Ubuntu once this MIR is accepted. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003777 This is valid, but can be fixed in Debian first and then pushed to Ubuntu. The next upstream version will improve the error message as per https://github.com/mdevctl/mdevctl/commit/1b880042683879db524c0d74b48bfdf533bda996. On top of that, we should ensure that /etc/mdevctl.d/ is part of this package. [Quality assurance - testing] The package runs a test suite on build time, if it fails it makes the build fail. You can verify that at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24166000 The package does not run an autopkgtest because the rust tooling does not provide an out-of-the-box manner to run the test suite for packages with vendorized code as it does for packages without vendorized code. This is something we should pursue in the mid/long term. [Quality assurance - packaging] debian/watch is present and works. It levarages the support for Multiple Upstream Tarballs (MUT) to pull in the vendored sources. This process is described in debian/README.source. debian/control defines a correct Maintainer field. This package does not yield massive lintian Warnings, Errors A recent build log of the package is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24120829 A no comprehensive "lintian --pedantic" output (without --no-tag-display-limit) follows: E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore.a E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore_downlevel.a E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_onecore.a E: mdevctl source: unpack-message-for-orig ... use --no-tag-display-limit to see all (or pipe to a file/program) P: mdevctl source: update-debian-copyright 2020 vs 2022 [debian/copyright:10] P: mdevctl source: very-long-line-length-in-source-file vendor/aho-corasick/.cargo-checksum.json line 1 is 2574 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file vendor/ansi_term/.cargo-checksum.json line 1 is 1075 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file vendor/anyhow/.cargo-checksum.json line 1 is 3038 characters long (>512) P: mdevctl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program) Lintian overrides are not present. This package does not rely on obsolete or about to be demoted packages. This package has no python2 or GTK2 dependencies. The package will not be installed by default. Still, it does not ask debconf questions. Packaging is more complex than avarage due to the source vendoring process, which differs to Debian. This should be ok because debian/README.source clearly describes the process. [UI standards] No end user UI Just a few CLI bits used by admins and parsable output used by tools. [Dependencies] No further depends or recommends dependencies that are not yet in main. Do note that this package includes vendored Rust code. [Standards compliance] This package correctly follows FHS and Debian Policy. Do note that it does include embedded copies of otehr software (vendorized rust code), which is discouraged by https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies. This is done to the current state of the rust stack/support. [Maintenance/Owner] The Server Team is already subscribed to the package and maintains it in Debian and Ubuntu. The Server Team is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM). The Server Team is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). This package uses vendored rust code tracked in Cargo.lock as shipped, in the package (at /usr/share/doc/mdevctl/Cargo.lock.gz - gz compressed), refreshing that code is outlined in debian/README.source This package uses vendored code, refreshing that code is outlined in debian/README.source. This package is rust based and vendors all non language-runtime dependencies. The package was test rebuilt in a PPA, as pointed out above. The latest version of mdevctl available in Debian unstable was changed to adapt to the MIR rules, as proposed in https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351. The package builds and works for all supported architectures, and is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages, where one can check the build logs for all supported architectures. [Background information] The Package description explains the package well: Mediated device management utility for Linux mdevctl is a utility for managing and persisting devices in the mediated device framework of the Linux kernel. Mediated devices are sub-devices of a parent device (ex. a vGPU) which can be dynamically created and potentially used by drivers like vfio-mdev for assignment to virtual machines. Upstream Name is mdevctl, and is available at https://github.com/mdevctl/mdevctl Note that, for the former MIR process, jq and libonig were included in main because mdevctl < 1 depends on those packages. This is no longer true for mdevctl >= 1 and their demotion should be evaluated. [Former Bug Description - NO LONGER PART OF MIR DOCS] This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust) => https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0 This worked fine in Debian => https://launchpad.net/debian/+source/mdevctl/1.0.0-1 But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper. IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies. I'll start the discussion internally ... This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is. Right now it is *intentionally* incomplete and has no full MIR template here.
2022-07-12 15:33:51 Bryce Harrington mdevctl (Ubuntu): status Incomplete New
2022-07-12 15:33:51 Bryce Harrington mdevctl (Ubuntu): milestone ubuntu-22.06 ubuntu-22.07
2022-07-19 07:42:19 Christian Ehrhardt  mdevctl (Ubuntu): assignee Athos Ribeiro (athos-ribeiro)
2022-07-19 14:38:09 Lukas Märdian mdevctl (Ubuntu): assignee Lukas Märdian (slyon)
2022-07-19 14:54:14 Lukas Märdian tags needs-sync packaging fr-2559 needs-sync packaging
2022-08-01 10:19:47 Lukas Märdian mdevctl (Ubuntu): assignee Lukas Märdian (slyon) Ubuntu Security Team (ubuntu-security)
2022-08-02 14:48:33 Seth Arnold tags fr-2559 needs-sync packaging fr-2559 needs-sync packaging sec-1214
2022-08-03 15:20:04 Christian Ehrhardt  mdevctl (Ubuntu): milestone ubuntu-22.07 ubuntu-22.08
2022-08-29 18:36:48 Athos Ribeiro bug added subscriber Athos Ribeiro
2022-08-30 18:36:48 Athos Ribeiro bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017369
2022-09-05 15:15:17 Christian Ehrhardt  tags fr-2559 needs-sync packaging sec-1214 block-proposed fr-2559 needs-sync packaging sec-1214
2022-09-28 05:10:05 Seth Arnold mdevctl (Ubuntu): assignee Ubuntu Security Team (ubuntu-security)
2022-09-28 05:10:11 Seth Arnold bug added subscriber Seth Arnold
2022-09-28 05:11:20 Seth Arnold mdevctl (Ubuntu): status New In Progress
2022-09-28 08:54:56 Christian Ehrhardt  tags block-proposed fr-2559 needs-sync packaging sec-1214 fr-2559 needs-sync packaging sec-1214
2022-09-28 08:55:54 Christian Ehrhardt  mdevctl (Ubuntu): status In Progress Fix Committed
2022-09-28 11:58:04 Athos Ribeiro mdevctl (Ubuntu): status Fix Committed Fix Released