| 2023-06-27 12:19:44 |
Dominik Viererbe |
description |
THIS IS NO MIR Request YET!
The MIR Preparation in still Progress. This Bug-Ticket tracks
issues that needs to be resolved, before we should applying
for MIR.
[Availability]
The package dotnet6 is already in Ubuntu universe.
The package dotnet6 build for the architectures it is designed to work on.
- See: https://github.com/dotnet/core/blob/main/release-notes/6.0/supported-os.md
It currently builds and works for architetcures: amd64, arm64
Link to package https://launchpad.net/ubuntu/+source/dotnet6
[Rationale]
- The package dotnet6 is required in Ubuntu main as part of
Canonicals partnership with Microsoft to shorten the supply
chain between Canonical and Microsoft and improve the .NET
developer experience on Ubuntu. Read more here:
- https://canonical.com/blog/install-dotnet-on-ubuntu
- https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
- The package dotnet7 will generally be useful for a large part of
our user base
- It would be great and useful to community/processes to have the
package dotnet6 in Ubuntu main, but there is no definitive deadline.
[Security]
- dotnet7 had security issues in the past that have been
fixed, see trackers:
- https://ubuntu.com/security/cves?package=dotnet6
- https://github.com/dotnet/core/blob/main/release-notes/6.0/cve.md
- NOTE: When searching for .NET CVEs in other trackers,
keep in mind that .NET Framework and .NET (Core) is not
the same and that many CVEs do not affect Linux distributions.
- The Security Team and Foundations Toolchain Squad already
work together with Microsoft to release security updates
to Ubuntu.
- Microsoft has weekly meetings with .NET Security Partners
(including Canonical) where they get and keep informed
about Security Issues.
- .NET Security Partners (including Canonical) have early
access to .NET releases containing CVE patches.
- Microsoft and .NET Security Partners (including Canonical)
coordinate releases to disclose and provide patches for
security issues on all plattforms at the same time.
- Microsoft informs Users about (security) issues in the
monthly release notes where they aslo recommend actions
to mitigate these issues.
See example Release Note containing CVE warning:
https://devblogs.microsoft.com/dotnet/february-2023-updates/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug
- Upstream's bug tracker, e.g., GitHub Issues
- The package has important open bugs, listing them: TBD
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build logs:
- mantic amd64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165948
- mantic arm64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165949
- lunar amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976292
- lunar arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976293
- kinetic amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964381
- kinetic arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964382
- jammy amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974197
- jammy arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974198
- The package runs an autopkgtest, and is currently passing
on mantic/lunar amd64/arm64 https://autopkgtest.ubuntu.com/packages/dotnet6
- The package does have failing autopkgtests tests right now,
because the failing test has a bug.
This does not matter as the testsuite gets replaced by a
more sophisticated one with the next release.
[Quality assurance - packaging]
- debian/watch is present and works*
(*Canonical has to work around the debian/watch file to
consume embargoed releses before the release)
- debian/control defines a correct Maintainer field
- This package does yield massive lintian Warnings/Errors,
but they are either false-postives or acceptable.
- Lintian overrides are present, but ok because of false-positive
lintian warnings. The concrete reasons are explained as a
comment in the overwrite files.
- The package will not be installed by default
- Packaging is complex, but that is ok because the software
we are packaging is complex and we are working with
Microsoft to reduce the complexity.
[UI standards]
- Application is end-user facing, Translation is NOT present,
this is ok, as the application just provides a Command Line
Interface for developers. The CLI output should not be
translated to maintain online searchable error messages.
- The exception messages of the .NET Runtime are localized.
- End-user applications without desktop file, not needed,
because it just provides libraries and command line tools
[Dependencies]
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here.
- lld binary and source package is in universe
- llvm binary and source package is in universe
- locales-all is in universe, but its source glibc is already in main
[Standards compliance]
RULE: - Major violations should be documented and justified.
RULE: - FHS: https://refspecs.linuxfoundation.org/fhs.shtml
RULE: - Debian Policy: https://www.debian.org/doc/debian-policy/
- AFAICT, This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is ".NET 6"
- Upstream project: https://github.com/dotnet/source-build
- This MIR exists in parralel to the MIR for dotnet7 |
[Availability]
The package dotnet6 is already in Ubuntu universe.
The package dotnet6 build for the architectures it is designed to work on.
- See: https://github.com/dotnet/core/blob/main/release-notes/6.0/supported-os.md
It currently builds and works for architetcures: amd64, arm64
Link to package https://launchpad.net/ubuntu/+source/dotnet6
[Rationale]
- The package dotnet6 is required in Ubuntu main as part of
Canonicals partnership with Microsoft to shorten the supply
chain between Canonical and Microsoft and improve the .NET
developer experience on Ubuntu. Read more here:
- https://canonical.com/blog/install-dotnet-on-ubuntu
- https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
- The package dotnet6 will generally be useful for a large part of
our user base
- It would be great and useful to community/processes to have the
package dotnet6 in Ubuntu main, but there is no definitive deadline.
[Security]
- dotnet6 had security issues in the past that have been
fixed, see trackers:
- https://ubuntu.com/security/cves?package=dotnet6
- https://github.com/dotnet/core/blob/main/release-notes/6.0/cve.md
- NOTE: When searching for .NET CVEs in other trackers,
keep in mind that .NET Framework and .NET (Core) is not
the same and that many CVEs do not affect Linux distributions.
- The Security Team and Foundations Toolchain Squad already
work together with Microsoft to release security updates
to Ubuntu.
- Microsoft has weekly meetings with .NET Security Partners
(including Canonical) where they get and keep informed
about Security Issues.
- .NET Security Partners (including Canonical) have early
access to .NET releases containing CVE patches.
- Microsoft and .NET Security Partners (including Canonical)
coordinate releases to disclose and provide patches for
security issues on all plattforms at the same time.
- Microsoft informs Users about (security) issues in the
monthly release notes where they aslo recommend actions
to mitigate these issues.
See example Release Note containing CVE warning:
https://devblogs.microsoft.com/dotnet/february-2023-updates/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug
- There are multiple bug trackers upstream for the individual
components of the package https://github.com/dotnet
- The package has no important open bugs
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build logs:
- mantic amd64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165948
- mantic arm64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165949
- lunar amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976292
- lunar arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976293
- kinetic amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964381
- kinetic arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964382
- jammy amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974197
- jammy arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974198
- The package runs an autopkgtest, and is currently passing
on mantic/lunar/kinetic/jammy amd64/arm64 https://autopkgtest.ubuntu.com/packages/dotnet6
- The package does NOT have failing autopkgtests tests right now.
[Quality assurance - packaging]
- debian/watch is present and works*
(*Canonical has to work around the debian/watch file to
consume embargoed releases before the official release)
- debian/control defines a correct Maintainer field
- This package does yield massive lintian Warnings/Errors,
but they are either false-postives or acceptable.
- Lintian overrides are present, but ok because of false-positive
lintian warnings. The concrete reasons are explained as a
comment in the overwrite files.
- The package will not be installed by default
- Packaging is complex, but that is ok because the software
we are packaging is complex and we are working with
Microsoft to reduce the complexity.
[UI standards]
- Application is end-user facing, Translation is NOT present,
this is ok, as the application just provides a Command Line
Interface for developers. The CLI output should not be
translated to maintain online searchable error messages.
- The exception messages of the .NET Runtime are localized.
- End-user applications without desktop file, not needed,
because it just provides libraries and command line tools
[Dependencies]
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here.
- lld binary and source package is in universe
- llvm binary and source package is in universe
- locales-all is in universe, but its source glibc is already in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy (AFAICT: this package is huge and I have only limited experience)
[Maintenance/Owner]
- Team is already subscribed to the package
- This package has embedded/vendorized dependencies.
We are aware of this problem and working on getting rid of them.
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is ".NET 6"
- Upstream project: https://github.com/dotnet/source-build
- This MIR exists in parralel to the MIR for dotnet7 |
|
