2021-09-02 06:12:24 |
Christian Ehrhardt |
bug |
|
|
added bug |
2021-09-02 06:12:32 |
Christian Ehrhardt |
mdevctl (Ubuntu): status |
New |
Incomplete |
|
2021-09-02 06:15:26 |
Christian Ehrhardt |
description |
Version 1.0 switched from the most simple (shell) to the least easy supportable (rust)
=> https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
This worked fine in Debian
=> https://launchpad.net/debian/+source/mdevctl/1.0.0-1
But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper.
IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies.
I'll start the discussion internally ...
This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is.
Right now it is *intentionally* incomplete and has no full MIR template here. |
This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust)
=> https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
This worked fine in Debian
=> https://launchpad.net/debian/+source/mdevctl/1.0.0-1
But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper.
IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies.
I'll start the discussion internally ...
This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is.
Right now it is *intentionally* incomplete and has no full MIR template here. |
|
2021-09-02 06:42:06 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Package Archive Administrators |
2021-09-02 06:42:14 |
Christian Ehrhardt |
bug |
|
|
added subscriber MIR approval team |
2021-09-02 06:46:31 |
Christian Ehrhardt |
bug watch added |
|
https://github.com/mdevctl/mdevctl/issues/44 |
|
2021-09-02 06:46:31 |
Christian Ehrhardt |
bug task added |
|
mdevctl |
|
2021-09-02 06:47:00 |
Christian Ehrhardt |
attachment added |
|
Diff to sync-blacklist.txt to block mdevctl https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug/1942394/+attachment/5522470/+files/block-mdevctl-auto-sync.diff |
|
2021-09-07 10:02:31 |
Christian Ehrhardt |
attachment added |
|
build log using dh-cargo to generate X-Cargo-Built-Using https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug/1942394/+attachment/5523441/+files/mdevctl_1.0.0-2_amd64.build |
|
2022-04-03 21:12:35 |
Bug Watch Updater |
mdevctl: status |
Unknown |
Fix Released |
|
2022-05-24 23:33:37 |
Bryce Harrington |
tags |
|
needs-sync |
|
2022-05-24 23:33:42 |
Bryce Harrington |
mdevctl (Ubuntu): milestone |
|
ubuntu-22.06 |
|
2022-05-25 00:05:47 |
Bryce Harrington |
tags |
needs-sync |
needs-sync packaging |
|
2022-06-10 14:42:25 |
Athos Ribeiro |
mdevctl (Ubuntu): assignee |
|
Athos Ribeiro (athos-ribeiro) |
|
2022-07-12 13:52:56 |
Athos Ribeiro |
description |
This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust)
=> https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
This worked fine in Debian
=> https://launchpad.net/debian/+source/mdevctl/1.0.0-1
But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper.
IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies.
I'll start the discussion internally ...
This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is.
Right now it is *intentionally* incomplete and has no full MIR template here. |
This template uses the new proposed format that covers Rust packages, submitted
through https://github.com/canonical/ubuntu-mir/pull/1
[Availability]
The package mdevctl is already in main via LP: #1889248, but Version 1.0
switched from the most simple (shell) to the least easy supportable (rust) =>
https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
The latest version of mdevctl available in Debian unstable was changed to adapt
to the MIR rules, as proposed in
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351.
The package builds and works for all supported architectures, and is available
at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages.
The original (shell based) package is available at
https://launchpad.net/ubuntu/+source/mdevctl.
[Rationale]
This has 3 reasons:
1. it is a very nice tool to handle meidiated devices in general.
It more and more becomes the one tool people refer to (other than fully
manual working through sysfs)
2. it is a Recomments for libvirt-daemon-system, which is in main.
3. the previous (shell based) version of the package is already in main.
It would be great to have mdevctl in Ubuntu main for kinetic, to avoid more
gaps between Ubuntu and Debian unstable, which could potentialy hinder the
merge processes, but there is no definitive deadline.
[Security]
No CVEs/security issues in this software in the past;
No `suid` or `sgid` binaries;
No executables in `/sbin` and `/usr/sbin`;
The package does not install services, timers or recurring jobs;
The package does not open privileged ports (ports < 1024); and
The package does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, etc).
[Quality assurance - function/usage]
The package works well right after install. It is composed of a single binary
file, a manpage and documentation.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many and long
term critical bugs open.
Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug
Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdevctl
At the moment this was written, the only Ubuntu bug open was this MIR one.
Debian has 2 open bugs, as described below:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013551
This has been fixed in salsa through
https://salsa.debian.org/debian/mdevctl/-/merge_requests/3 and will be
available in the next debian release. It is also already included in the
proposed merge in the PPA at
https://salsa.debian.org/debian/mdevctl/-/merge_requests/3, which is what we
intend to upload to Ubuntu once this MIR is accepted.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003777
This is valid, but can be fixed in Debian first and then pushed to Ubuntu. The
next upstream version will improve the error message as per
https://github.com/mdevctl/mdevctl/commit/1b880042683879db524c0d74b48bfdf533bda996.
On top of that, we should ensure that /etc/mdevctl.d/ is part of this package.
[Quality assurance - testing]
RULE: - The package must include a non-trivial test suite
RULE: - it should run at package build and fail the build if broken
TODO-A: - The package runs a test suite on build time, if it fails
TODO-A: it makes the build fail, link to build log TBD
TODO-B: - The package does not run a test at build time because TBD
RULE: - The package should, but is not required to, also contain
RULE: non-trivial autopkgtest(s).
TODO-A: - The package runs an autopkgtest, and is currently passing on
TODO-A: this TBD list of architectures, link to test logs TBD
TODO-B: - The package does not run an autopkgtest because TBD
RULE: - existing but failing tests that shall be handled as "ok to fail"
RULE: need to be explained along the test logs below
TODO-A: - The package does have not failing autopkgtests right now
TODO-B: - The package does have failing autopkgtests tests right now, but since
TODO-B: they always failed they are handled as "ignored failure", this is
TODO-B: ok because TBD
RULE: - If no build tests nor autopkgtests are included, and/or if the package
RULE: requires specific hardware to perform testing, the subscribed team
RULE: must provide a written test plan in a comment to the MIR bug, and
RULE: commit to running that test either at each upload of the package or
RULE: at least once each release cycle. In the comment to the MIR bug,
RULE: please link to the codebase of these tests (scripts or doc of manual
RULE: steps) and attach a full log of these test runs. This is meant to
RULE: assess their validity (e.g. not just superficial)
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
RULE: - In some cases a solution that is about to be promoted consists of
RULE: several very small libraries and one actual application uniting them
RULE: to achieve something useful. This is rather common in the go/rust space.
RULE: In that case often these micro-libs on their own can and should only
RULE: provide low level unit-tests. But more complex autopkgtests make no
RULE: sense on that level. Therefore in those cases one might want to test on
RULE: the solution level.
RULE: - Process wise MIR-requesting teams can ask (on the bug) for this
RULE: special case to apply for a given case, which reduces the test
RULE: constraints on the micro libraries but in return increases the
RULE: requirements for the test of the actual app/solution.
RULE: - Since this might promote micro-lib packages to main with less than
RULE: the common level of QA any further MIRed program using them will have
RULE: to provide the same amount of increased testing.
TODO: - This package is minimal and will be tested in a more wide reaching
TODO: solution context TBD, details about this testing are here TBD
[Quality assurance - packaging]
debian/watch is present and works. It levarages the support for Multiple
Upstream Tarballs (MUT) to pull in the vendored sources. This process is
described in debian/README.source.
debian/control defines a correct Maintainer field.
This package does not yield massive lintian Warnings, Errors
A recent build log of the package is available at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24120829
A no comprehensive "lintian --pedantic" output (without --no-tag-display-limit) follows:
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore.a
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore_downlevel.a
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_onecore.a
E: mdevctl source: unpack-message-for-orig ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: mdevctl source: update-debian-copyright 2020 vs 2022 [debian/copyright:10]
P: mdevctl source: very-long-line-length-in-source-file vendor/aho-corasick/.cargo-checksum.json line 1 is 2574 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file vendor/ansi_term/.cargo-checksum.json line 1 is 1075 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file vendor/anyhow/.cargo-checksum.json line 1 is 3038 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
Lintian overrides are not present.
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default. Still, it does not ask debconf
questions.
Packaging is more complex than avarage due to the source vendoring
process, which differs to Debian. This should be ok because
debian/README.source clearly describes the process.
[UI standards]
No end user UI
Just a few CLI bits used by admins and parsable output used by tools.
[Dependencies]
No further depends or recommends dependencies that are not yet in main. Do note
that this package includes vendored Rust code.
[Standards compliance]
This package correctly follows FHS and Debian Policy. Do note that it does
include embedded copies of otehr software (vendorized rust code), which is
discouraged by
https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies.
This is done to the current state of the rust stack/support.
[Maintenance/Owner]
The Server Team is already subscribed to the package and maintains it in Debian
and Ubuntu.
The Server Team is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM).
The Server Team is aware of the implications of vendored code and (as alerted
by the security team) commits to provide updates and backports to the security
team for any affected vendored code for the lifetime of the release (including
ESM).
This package uses vendored rust code tracked in Cargo.lock as shipped, in the
package (at /usr/share/doc/mdevctl/Cargo.lock.gz - gz compressed),
refreshing that code is outlined in debian/README.source This package uses
vendored code, refreshing that code is outlined in debian/README.source.
This package is rust based and vendors all non language-runtime dependencies.
The package was test rebuilt in a PPA, as pointed out above.
The latest version of mdevctl available in Debian unstable was changed to adapt
to the MIR rules, as proposed in
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351.
The package builds and works for all supported architectures, and is available
at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages,
where one can check the build logs for all supported architectures.
[Background information]
The Package description explains the package well:
Mediated device management utility for Linux mdevctl is a utility for managing
and persisting devices in the mediated device framework of the Linux kernel.
Mediated devices are sub-devices of a parent device (ex. a vGPU) which can be
dynamically created and potentially used by drivers like vfio-mdev for
assignment to virtual machines.
Upstream Name is mdevctl, and is available at https://github.com/mdevctl/mdevctl
Note that, for the former MIR process, jq and libonig were included in main
because mdevctl < 1 depends on those packages. This is no longer true for
mdevctl >= 1 and their demotion should be evaluated.
[Former Bug Description - NO LONGER PART OF MIR DOCS]
This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust)
=> https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
This worked fine in Debian
=> https://launchpad.net/debian/+source/mdevctl/1.0.0-1
But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper.
IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies.
I'll start the discussion internally ...
This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is.
Right now it is *intentionally* incomplete and has no full MIR template here. |
|
2022-07-12 14:40:24 |
Athos Ribeiro |
description |
This template uses the new proposed format that covers Rust packages, submitted
through https://github.com/canonical/ubuntu-mir/pull/1
[Availability]
The package mdevctl is already in main via LP: #1889248, but Version 1.0
switched from the most simple (shell) to the least easy supportable (rust) =>
https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
The latest version of mdevctl available in Debian unstable was changed to adapt
to the MIR rules, as proposed in
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351.
The package builds and works for all supported architectures, and is available
at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages.
The original (shell based) package is available at
https://launchpad.net/ubuntu/+source/mdevctl.
[Rationale]
This has 3 reasons:
1. it is a very nice tool to handle meidiated devices in general.
It more and more becomes the one tool people refer to (other than fully
manual working through sysfs)
2. it is a Recomments for libvirt-daemon-system, which is in main.
3. the previous (shell based) version of the package is already in main.
It would be great to have mdevctl in Ubuntu main for kinetic, to avoid more
gaps between Ubuntu and Debian unstable, which could potentialy hinder the
merge processes, but there is no definitive deadline.
[Security]
No CVEs/security issues in this software in the past;
No `suid` or `sgid` binaries;
No executables in `/sbin` and `/usr/sbin`;
The package does not install services, timers or recurring jobs;
The package does not open privileged ports (ports < 1024); and
The package does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, etc).
[Quality assurance - function/usage]
The package works well right after install. It is composed of a single binary
file, a manpage and documentation.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many and long
term critical bugs open.
Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug
Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdevctl
At the moment this was written, the only Ubuntu bug open was this MIR one.
Debian has 2 open bugs, as described below:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013551
This has been fixed in salsa through
https://salsa.debian.org/debian/mdevctl/-/merge_requests/3 and will be
available in the next debian release. It is also already included in the
proposed merge in the PPA at
https://salsa.debian.org/debian/mdevctl/-/merge_requests/3, which is what we
intend to upload to Ubuntu once this MIR is accepted.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003777
This is valid, but can be fixed in Debian first and then pushed to Ubuntu. The
next upstream version will improve the error message as per
https://github.com/mdevctl/mdevctl/commit/1b880042683879db524c0d74b48bfdf533bda996.
On top of that, we should ensure that /etc/mdevctl.d/ is part of this package.
[Quality assurance - testing]
RULE: - The package must include a non-trivial test suite
RULE: - it should run at package build and fail the build if broken
TODO-A: - The package runs a test suite on build time, if it fails
TODO-A: it makes the build fail, link to build log TBD
TODO-B: - The package does not run a test at build time because TBD
RULE: - The package should, but is not required to, also contain
RULE: non-trivial autopkgtest(s).
TODO-A: - The package runs an autopkgtest, and is currently passing on
TODO-A: this TBD list of architectures, link to test logs TBD
TODO-B: - The package does not run an autopkgtest because TBD
RULE: - existing but failing tests that shall be handled as "ok to fail"
RULE: need to be explained along the test logs below
TODO-A: - The package does have not failing autopkgtests right now
TODO-B: - The package does have failing autopkgtests tests right now, but since
TODO-B: they always failed they are handled as "ignored failure", this is
TODO-B: ok because TBD
RULE: - If no build tests nor autopkgtests are included, and/or if the package
RULE: requires specific hardware to perform testing, the subscribed team
RULE: must provide a written test plan in a comment to the MIR bug, and
RULE: commit to running that test either at each upload of the package or
RULE: at least once each release cycle. In the comment to the MIR bug,
RULE: please link to the codebase of these tests (scripts or doc of manual
RULE: steps) and attach a full log of these test runs. This is meant to
RULE: assess their validity (e.g. not just superficial)
TODO: - The package can not be tested at build or autopktest time because TBD
TODO: to make up for that here TBD is a test plan/automation and example
TODO: test TBD (logs/scripts)
RULE: - In some cases a solution that is about to be promoted consists of
RULE: several very small libraries and one actual application uniting them
RULE: to achieve something useful. This is rather common in the go/rust space.
RULE: In that case often these micro-libs on their own can and should only
RULE: provide low level unit-tests. But more complex autopkgtests make no
RULE: sense on that level. Therefore in those cases one might want to test on
RULE: the solution level.
RULE: - Process wise MIR-requesting teams can ask (on the bug) for this
RULE: special case to apply for a given case, which reduces the test
RULE: constraints on the micro libraries but in return increases the
RULE: requirements for the test of the actual app/solution.
RULE: - Since this might promote micro-lib packages to main with less than
RULE: the common level of QA any further MIRed program using them will have
RULE: to provide the same amount of increased testing.
TODO: - This package is minimal and will be tested in a more wide reaching
TODO: solution context TBD, details about this testing are here TBD
[Quality assurance - packaging]
debian/watch is present and works. It levarages the support for Multiple
Upstream Tarballs (MUT) to pull in the vendored sources. This process is
described in debian/README.source.
debian/control defines a correct Maintainer field.
This package does not yield massive lintian Warnings, Errors
A recent build log of the package is available at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24120829
A no comprehensive "lintian --pedantic" output (without --no-tag-display-limit) follows:
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore.a
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore_downlevel.a
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_onecore.a
E: mdevctl source: unpack-message-for-orig ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: mdevctl source: update-debian-copyright 2020 vs 2022 [debian/copyright:10]
P: mdevctl source: very-long-line-length-in-source-file vendor/aho-corasick/.cargo-checksum.json line 1 is 2574 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file vendor/ansi_term/.cargo-checksum.json line 1 is 1075 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file vendor/anyhow/.cargo-checksum.json line 1 is 3038 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
Lintian overrides are not present.
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default. Still, it does not ask debconf
questions.
Packaging is more complex than avarage due to the source vendoring
process, which differs to Debian. This should be ok because
debian/README.source clearly describes the process.
[UI standards]
No end user UI
Just a few CLI bits used by admins and parsable output used by tools.
[Dependencies]
No further depends or recommends dependencies that are not yet in main. Do note
that this package includes vendored Rust code.
[Standards compliance]
This package correctly follows FHS and Debian Policy. Do note that it does
include embedded copies of otehr software (vendorized rust code), which is
discouraged by
https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies.
This is done to the current state of the rust stack/support.
[Maintenance/Owner]
The Server Team is already subscribed to the package and maintains it in Debian
and Ubuntu.
The Server Team is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM).
The Server Team is aware of the implications of vendored code and (as alerted
by the security team) commits to provide updates and backports to the security
team for any affected vendored code for the lifetime of the release (including
ESM).
This package uses vendored rust code tracked in Cargo.lock as shipped, in the
package (at /usr/share/doc/mdevctl/Cargo.lock.gz - gz compressed),
refreshing that code is outlined in debian/README.source This package uses
vendored code, refreshing that code is outlined in debian/README.source.
This package is rust based and vendors all non language-runtime dependencies.
The package was test rebuilt in a PPA, as pointed out above.
The latest version of mdevctl available in Debian unstable was changed to adapt
to the MIR rules, as proposed in
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351.
The package builds and works for all supported architectures, and is available
at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages,
where one can check the build logs for all supported architectures.
[Background information]
The Package description explains the package well:
Mediated device management utility for Linux mdevctl is a utility for managing
and persisting devices in the mediated device framework of the Linux kernel.
Mediated devices are sub-devices of a parent device (ex. a vGPU) which can be
dynamically created and potentially used by drivers like vfio-mdev for
assignment to virtual machines.
Upstream Name is mdevctl, and is available at https://github.com/mdevctl/mdevctl
Note that, for the former MIR process, jq and libonig were included in main
because mdevctl < 1 depends on those packages. This is no longer true for
mdevctl >= 1 and their demotion should be evaluated.
[Former Bug Description - NO LONGER PART OF MIR DOCS]
This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust)
=> https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
This worked fine in Debian
=> https://launchpad.net/debian/+source/mdevctl/1.0.0-1
But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper.
IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies.
I'll start the discussion internally ...
This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is.
Right now it is *intentionally* incomplete and has no full MIR template here. |
This template uses the new proposed format that covers Rust packages, submitted
through https://github.com/canonical/ubuntu-mir/pull/1
[Availability]
The package mdevctl is already in main via LP: #1889248, but Version 1.0
switched from the most simple (shell) to the least easy supportable (rust) =>
https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
The latest version of mdevctl available in Debian unstable was changed to adapt
to the MIR rules, as proposed in
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351.
The package builds and works for all supported architectures, and is available
at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages.
The original (shell based) package is available at
https://launchpad.net/ubuntu/+source/mdevctl.
[Rationale]
This has 3 reasons:
1. it is a very nice tool to handle meidiated devices in general.
It more and more becomes the one tool people refer to (other than fully
manual working through sysfs)
2. it is a Recomments for libvirt-daemon-system, which is in main.
3. the previous (shell based) version of the package is already in main.
It would be great to have mdevctl in Ubuntu main for kinetic, to avoid more
gaps between Ubuntu and Debian unstable, which could potentialy hinder the
merge processes, but there is no definitive deadline.
[Security]
No CVEs/security issues in this software in the past;
No `suid` or `sgid` binaries;
No executables in `/sbin` and `/usr/sbin`;
The package does not install services, timers or recurring jobs;
The package does not open privileged ports (ports < 1024); and
The package does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, etc).
[Quality assurance - function/usage]
The package works well right after install. It is composed of a single binary
file, a manpage and documentation.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many and long
term critical bugs open.
Ubuntu https://bugs.launchpad.net/ubuntu/+source/mdevctl/+bug
Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mdevctl
At the moment this was written, the only Ubuntu bug open was this MIR one.
Debian has 2 open bugs, as described below:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013551
This has been fixed in salsa through
https://salsa.debian.org/debian/mdevctl/-/merge_requests/3 and will be
available in the next debian release. It is also already included in the
proposed merge in the PPA at
https://salsa.debian.org/debian/mdevctl/-/merge_requests/3, which is what we
intend to upload to Ubuntu once this MIR is accepted.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003777
This is valid, but can be fixed in Debian first and then pushed to Ubuntu. The
next upstream version will improve the error message as per
https://github.com/mdevctl/mdevctl/commit/1b880042683879db524c0d74b48bfdf533bda996.
On top of that, we should ensure that /etc/mdevctl.d/ is part of this package.
[Quality assurance - testing]
The package runs a test suite on build time, if it fails it makes the build fail.
You can verify that at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24166000
The package does not run an autopkgtest because the rust tooling does not provide an out-of-the-box manner to run the test suite for packages with vendorized code as it does for packages without vendorized code. This is something we should pursue in the mid/long term.
[Quality assurance - packaging]
debian/watch is present and works. It levarages the support for Multiple
Upstream Tarballs (MUT) to pull in the vendored sources. This process is
described in debian/README.source.
debian/control defines a correct Maintainer field.
This package does not yield massive lintian Warnings, Errors
A recent build log of the package is available at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+build/24120829
A no comprehensive "lintian --pedantic" output (without --no-tag-display-limit) follows:
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore.a
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_mincore_downlevel.a
E: mdevctl source: unpack-message-for-orig mdevctl_1.1.0.orig-vendor.tar.gz ar failed for vendor/winapi-i686-pc-windows-gnu/lib/libwinapi_onecore.a
E: mdevctl source: unpack-message-for-orig ... use --no-tag-display-limit to see all (or pipe to a file/program)
P: mdevctl source: update-debian-copyright 2020 vs 2022 [debian/copyright:10]
P: mdevctl source: very-long-line-length-in-source-file vendor/aho-corasick/.cargo-checksum.json line 1 is 2574 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file vendor/ansi_term/.cargo-checksum.json line 1 is 1075 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file vendor/anyhow/.cargo-checksum.json line 1 is 3038 characters long (>512)
P: mdevctl source: very-long-line-length-in-source-file ... use --no-tag-display-limit to see all (or pipe to a file/program)
Lintian overrides are not present.
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies.
The package will not be installed by default. Still, it does not ask debconf
questions.
Packaging is more complex than avarage due to the source vendoring
process, which differs to Debian. This should be ok because
debian/README.source clearly describes the process.
[UI standards]
No end user UI
Just a few CLI bits used by admins and parsable output used by tools.
[Dependencies]
No further depends or recommends dependencies that are not yet in main. Do note
that this package includes vendored Rust code.
[Standards compliance]
This package correctly follows FHS and Debian Policy. Do note that it does
include embedded copies of otehr software (vendorized rust code), which is
discouraged by
https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies.
This is done to the current state of the rust stack/support.
[Maintenance/Owner]
The Server Team is already subscribed to the package and maintains it in Debian
and Ubuntu.
The Server Team is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM).
The Server Team is aware of the implications of vendored code and (as alerted
by the security team) commits to provide updates and backports to the security
team for any affected vendored code for the lifetime of the release (including
ESM).
This package uses vendored rust code tracked in Cargo.lock as shipped, in the
package (at /usr/share/doc/mdevctl/Cargo.lock.gz - gz compressed),
refreshing that code is outlined in debian/README.source This package uses
vendored code, refreshing that code is outlined in debian/README.source.
This package is rust based and vendors all non language-runtime dependencies.
The package was test rebuilt in a PPA, as pointed out above.
The latest version of mdevctl available in Debian unstable was changed to adapt
to the MIR rules, as proposed in
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/mdevctl/+git/mdevctl/+merge/425351.
The package builds and works for all supported architectures, and is available
at
https://launchpad.net/~athos-ribeiro/+archive/ubuntu/mdevctl-vendored-plus-lockfile/+packages,
where one can check the build logs for all supported architectures.
[Background information]
The Package description explains the package well:
Mediated device management utility for Linux mdevctl is a utility for managing
and persisting devices in the mediated device framework of the Linux kernel.
Mediated devices are sub-devices of a parent device (ex. a vGPU) which can be
dynamically created and potentially used by drivers like vfio-mdev for
assignment to virtual machines.
Upstream Name is mdevctl, and is available at https://github.com/mdevctl/mdevctl
Note that, for the former MIR process, jq and libonig were included in main
because mdevctl < 1 depends on those packages. This is no longer true for
mdevctl >= 1 and their demotion should be evaluated.
[Former Bug Description - NO LONGER PART OF MIR DOCS]
This is in main via bug 1889248 already, but Version 1.0 switched from the most simple (shell) to the least easy supportable (rust)
=> https://github.com/mdevctl/mdevctl/releases/tag/v1.0.0
This worked fine in Debian
=> https://launchpad.net/debian/+source/mdevctl/1.0.0-1
But for Ubuntu the Server team isn't gonna own the full rust toolchain just because of this helper.
IMHO that needs a discussion how we want to handle rust in general and then the long MIR road for all the way too many dependencies.
I'll start the discussion internally ...
This bug is meant to be a reference from the sync avoidance override as well as the component mismatches - so that everyone can re-check here what the current state is.
Right now it is *intentionally* incomplete and has no full MIR template here. |
|
2022-07-12 15:33:51 |
Bryce Harrington |
mdevctl (Ubuntu): status |
Incomplete |
New |
|
2022-07-12 15:33:51 |
Bryce Harrington |
mdevctl (Ubuntu): milestone |
ubuntu-22.06 |
ubuntu-22.07 |
|
2022-07-19 07:42:19 |
Christian Ehrhardt |
mdevctl (Ubuntu): assignee |
Athos Ribeiro (athos-ribeiro) |
|
|
2022-07-19 14:38:09 |
Lukas Märdian |
mdevctl (Ubuntu): assignee |
|
Lukas Märdian (slyon) |
|
2022-07-19 14:54:14 |
Lukas Märdian |
tags |
needs-sync packaging |
fr-2559 needs-sync packaging |
|
2022-08-01 10:19:47 |
Lukas Märdian |
mdevctl (Ubuntu): assignee |
Lukas Märdian (slyon) |
Ubuntu Security Team (ubuntu-security) |
|
2022-08-02 14:48:33 |
Seth Arnold |
tags |
fr-2559 needs-sync packaging |
fr-2559 needs-sync packaging sec-1214 |
|
2022-08-03 15:20:04 |
Christian Ehrhardt |
mdevctl (Ubuntu): milestone |
ubuntu-22.07 |
ubuntu-22.08 |
|
2022-08-29 18:36:48 |
Athos Ribeiro |
bug |
|
|
added subscriber Athos Ribeiro |
2022-08-30 18:36:48 |
Athos Ribeiro |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017369 |
|
2022-09-05 15:15:17 |
Christian Ehrhardt |
tags |
fr-2559 needs-sync packaging sec-1214 |
block-proposed fr-2559 needs-sync packaging sec-1214 |
|
2022-09-28 05:10:05 |
Seth Arnold |
mdevctl (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2022-09-28 05:10:11 |
Seth Arnold |
bug |
|
|
added subscriber Seth Arnold |
2022-09-28 05:11:20 |
Seth Arnold |
mdevctl (Ubuntu): status |
New |
In Progress |
|
2022-09-28 08:54:56 |
Christian Ehrhardt |
tags |
block-proposed fr-2559 needs-sync packaging sec-1214 |
fr-2559 needs-sync packaging sec-1214 |
|
2022-09-28 08:55:54 |
Christian Ehrhardt |
mdevctl (Ubuntu): status |
In Progress |
Fix Committed |
|
2022-09-28 11:58:04 |
Athos Ribeiro |
mdevctl (Ubuntu): status |
Fix Committed |
Fix Released |
|