[MIR] tree

[MIR] tree

[Availability]
The package tree is already in Ubuntu universe.
Tree is a general purpose utility that is built and works on all Ubuntu architectures.
Link to package https://launchpad.net/ubuntu/+source/tree

[Rationale]
The package tree is generally useful for a large part of our user base using the command-line. Tree itself is tiny, but is not currently seeded in our official images (albeit it is installed by default on a number of Ubuntu derivatives (Lubuntu - https://cdimage.ubuntu.com/lubuntu/releases/mantic/release/lubuntu-23.10-desktop-amd64.manifest , Xubuntu - https://cdimage.ubuntu.com/xubuntu/releases/mantic/release/xubuntu-23.10-desktop-amd64.manifest).
One specific reason for this MIR comes from the requirements of a commercial partner who would like to offer the tree command as part of their user experience on their Ubuntu based SDK images. This partner is working with the Canonical Partner Engineering team, albeit the maintenance of tree itself would likely be done by the Foundations team – this has been discussed with the Foundations team.
Package tree covers the same use case as ‘ls -lR’ or ‘find’, but is better because:
- It is specialized in directories tree rendering for command line interface, so it has a fancier output on a terminal.
- It provides machine-friendly output formats notably with its XML/JSON/HTML output formats.
- It would be useful to the community and to our partner to have “tree” in Ubuntu main, especially for their upcoming noble/24.04 based SDK.

[Security]
- Ubuntu CVE Tracker (https://ubuntu.com/security/cve?package=tree) : 0 results as of 2024-03-05.
- Debian Security Tracker: https://security-tracker.debian.org/tracker/source-package/tree: No issue as of 2024-03-05.
- Project Changelog: (CHANGES file: http://oldmanprogrammer.net/source.php?dir=projects/tree/CHANGES): No reference to any security issue.
- No CVEs/security issues (found) in this software in the past: NB: “tree” is a very commonly used keyword, notably in security vulnerabilities, but searching the CVE database for software names matching “tree” didn’t yield issues with the tree utility itself.
- no `suid` or `sgid` binaries: `find / -perm -u=s -type f 2>/dev/null | grep tree` returns nothing – it’s just providing a simple non-privileged command.
- `ls -l /usr/bin/tree` returns: `-rwxr-xr-x 1 root root 85400 Dec 12 16:06 /usr/bin/tree`.
- no executables in `/sbin` and `/usr/sbin`: `dpkg -L tree | grep sbin` returns nothing, it’s really just /usr/bin/tree.
- Package does not install services, timers or recurring jobs.
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints.
- I didn't spot any deprecated security algorithm in use.

[Quality assurance - function/usage]
- The package works well right after install and can be used to list the contents of directories.

[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs:
- Launchpad Bug Tracker (https://launchpad.net/ubuntu/+source/tree/+bugs): 2 bugs reported in Ubuntu:
  * One issue seems pretty serious (buffer overflow), and there were fixes in the upstream sources that could correspond, however this bug wasn’t forwarded back then and there is no data to reproduce it – we’ve pinged the bug to request a copy of the data and to try to reproduce with a more recent version.
  * One issue is a feature request
- Debian https://bugs.debian.org/src:tree / https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;package=tree :
  * One resolved serious bug can be found on debian archived bug history.

Releases are relatively regular for a mature utility such as tree. Upstream recently changed its home site and seems responsive.
$ grep ^Version CHANGES
Version 2.1.1 (05/31/2023)
Version 2.1.0 (12/26/2022)
Version 2.0.4 (09/06/2022)
Version 2.0.3 (08/26/2022)
Version 2.0.2 (02/16/2022)
Version 2.0.1 (01/03/2022)

The package does not deal with exotic hardware we cannot support.

[Quality assurance - testing]
There are no unit tests in the sources, and the autopkgtest (https://autopkgtest.ubuntu.com/packages/tree) is relatively trivial, but this seems adequate given this command-line utility.
A recent amd64 build log shows no warning nor errors: https://launchpadlibrarian.net/702286929/buildlog_ubuntu-noble-amd64.tree_2.1.1-2_BUILDING.txt.gz

[Quality assurance - packaging]
- debian/watch is present and works.
- debian/control defines a correct Maintainer field (currently: Florian Ernst <email address hidden>).
- Running `lintian --pedantic` on tree_2.1.1-2_amd64.deb doesn’t output anything.
- This package does not rely on obsolete or about to be demoted packages.
- There is no Debconf questions with this package.
- Packaging and build is easy, (link to debian/rules: https://git.launchpad.net/ubuntu/+source/tree/tree/debian/rules?h=applied/ubuntu/noble).

[UI standards]
Tree is a command line tool application with no real requirement for translation (man pages used to be available in french but got removed with package version 2.1.0-1).
There is no desktop file.

[Dependencies]
tree package (2.1.1-2) only depends on libc6 (>= 2.38) (:already in main).

[Standards compliance]
- This package correctly follows FHS and Debian Policy.

[Maintenance/Owner]
- The future owning team is not yet subscribed, but will subscribe to the package before promotion.
- tree does not use static builds nor vendored code.
- This package is not rust based.
- The package successfully built during the most recent test rebuild (https://launchpad.net/ubuntu/+source/tree/2.1.1-2).

[Background information]
The Package description explains the package well.
Link to upstream project: http://oldmanprogrammer.net/source.php?dir=projects/tree