Public bug reported:

The Tracker developers have renamed tracker-miners to localsearch. To
meet deadlines and uncouple the tinysparql transition from Debian's NEW
queue, we have packaged localsearch 3.8 as tracker-miners. However, we
will soon rename the source package to localsearch (perhaps in time for
Ubuntu 25.04). It makes sense to file the rename MIR now since
tinysparql & localsearch are closely related.

Once the localsearch source package migrates out of -proposed, the
tracker-miners source package will be removed.

This MIR should be processed along with the tinysparl MIR LP: #2099086

[Availability]
The package localsearch is already in Ubuntu universe.
The package localsearch build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures except for i386
Link to package https://launchpad.net/ubuntu/+source/tracker-miners

[Rationale]
- The package localsearch is required in Ubuntu main because it powers GNOME's 
search indexer and is deeply integrated into nautilus.
- The package localsearch will generally be useful for a large part of our user 
base
- The package localsearch will not generally be useful for a large part of
- The package localsearch is a new runtime dependency of package nautilus that 
we already support
- There is no other/better way to solve this that is already in main or should 
go universe->main instead of this.
- The binary package localsearch needs to be in main to achieve: the 
"tracker-miners" name doesn't exist upstream after the 3.7 series for GNOME 46. 
We want to use the upstream "localsearch" name instead.

- The package localsearch is required in Ubuntu main for Ubuntu 25.04.
The package rename was not uploaded to Ubuntu 25.04 before Feature
Freeze however.

[Security]
- Had 1 security issue in the past
+ https://security-tracker.debian.org/tracker/CVE-2023-5557
+ https://security-tracker.debian.org/tracker/CVE-2023-5557
+ Ubuntu Security considered this a hardening fix more than a security 
vulnerability.

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs

systemd user services
---------------------
localsearch-3.service
localsearch-control-3.service
localsearch-writeback-3.service

dbus services
-------------
org.freedesktop.LocalSearch3.Control.service
org.freedesktop.LocalSearch3.Writeback.service
org.freedesktop.LocalSearch3.service
org.freedesktop.Tracker3.Miner.Files.Control.service
org.freedesktop.Tracker3.Miner.Files.service
org.freedesktop.Tracker3.Writeback.service

- Security has been kept in mind and common isolation/risk-mitigation patterns 
are in place utilizing the following features:
seccomp
Landlock https://docs.kernel.org/userspace-api/landlock.html

- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints

TODO: - Packages does not contain extensions to security-sensitive software
TODO:   (filters, scanners, plugins, UI skins, ...)

I'm not sure what those terms mean but I think this qualifies as an
extension to security-sensitive software.

GNOME provides this page for reporting security vulnerabilities in core GNOME 
components like tinysparql
https://security.gnome.org/

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have 
too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/tracker-miners
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=tracker-miners
- Upstream https://gitlab.gnome.org/GNOME/localsearch/-/issues

- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build 
fail, link to build log
https://launchpad.net/ubuntu/+source/tracker-miners/3.8.2-2

- The package does not run an autopkgtest because this packages is
tested at build time instead. Notably, some of localsearch's build tests
do not work correctly with the security hardening features landlock and
seccomp; we can run those tests at build time but we can't use Ubuntu's
binary packages for those tests.

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field

- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
https://launchpad.net/ubuntu/+source/tracker-miners/3.8.2-2
- Lintian overrides are present, but ok because they include an explanatory 
note. rpath is used to load private libraries.

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf
questions

- Packaging and build is easy, link to debian/rules
https://salsa.debian.org/gnome-team/localsearch/-/blob/debian/latest/debian/rules

The package is built twice because the build tests fail if tracker-
miners is built with landlock and seccomp. The build without those
features is only used for the build tests and is not provided in Ubuntu
binary packages.

[UI standards]
- Application is end-user facing, Translation is present, via standard 
intltool/gettext or similar build and runtime internationalization system

- End-user applications without desktop file, not needed because it is
more of a service than an app. However, it can be configured with gnome-
control-center in the Search page.

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Desktop Packages and I have their acknowledgement for 
that commitment
- The future owning team is not yet subscribed, but will subscribe to the 
package before promotion

- This does not use static builds
- This does not use vendored code
- This package is not rust based

- The package has been built within the last 3 months in the archive
- Build link on launchpad: 
https://launchpad.net/ubuntu/+source/tracker-miners/3.8.2-2

[Background information]
The Package description explains the package well
Upstream Name is localsearch
https://gitlab.gnome.org/GNOME/localsearch

Link to previous MIR LP: #1770877

Ubuntu 25.04 ships localsearch 3.8 (GNOME 47) because localsearch 3.9 (GNOME 
48) switched to ffmpeg/libav (which are in Ubuntu universe) and the Ubuntu 
Desktop Team has not had time to evaluate the situation.
https://gitlab.gnome.org/GNOME/localsearch/-/merge_requests/579

** Affects: tracker-miners (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to tracker-miners in Ubuntu.
https://bugs.launchpad.net/bugs/2099160

Title:
  [MIR] localsearch

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tracker-miners/+bug/2099160/+subscriptions


-- 
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs

Reply via email to