Public bug reported: MIR for xdelta3
This is a request to include the xdelta3 package in Ubuntu main. See below for point-for-point discussion of the items listed at: https://wiki.ubuntu.com/UbuntuMainInclusionRequirements [Availability] Ubuntu Zesty contains xdelta 3.0.11-dfsg-1 in universe. [Rationale] xdelta3 is required for the 'download delta' feature in snapd. This allows users to save a considerable amount of bandwidth when downloading updates for installed snap packages. The code has all landed in snapd behind a feature flag, but cannot be turned on by default until xdelta3 is in main, so snapd can depend on xdelta3. [Security] There was one CVE files against xdelta3 that I could find: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9765 The xdelta3 package installs a single binary (/usr/bin/xdelta3) which is not suid or sgid. [Quality assurance] - The xdelta3 package requires no configuration after installation. - As far as I can tell, the package asks no debconf questions of any priority. - There are 90 open issues in the upstream bugtracker: https://github.com/jmacd/xdelta/issues - I've scanned the issue list, and while a few issues may impact Ubuntu users using xdelta3, none of them seem serious enough to warrant exclusion from main in my opinion (but what do I know - that's for someone else to determine). - The debian bug tracker contains security bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067 However this is fixed in the upstream release that's in zesty, and I can see a distropatch in the version that's in Xenial (I'm assuming it's been fixed in yakkety as well). - The debian package is maintained by 'A Mennucc1', see: https://packages.qa.debian.org/x/xdelta3.html - The xdelta3 packages does not require any exotic hardware. - I'm honestly not sure if the upstream test suite is run during the package build. I see no explicit test runs in debian/rules, but there is a 'check' make target, so perhaps that's invoked by default? - The package contains a debain/watch file. [UI Standards] The xdelta3 package ships command line utilities, so I think it's except from the requirements of this section. [Dependencies] The two dependencies of xdelta3 (libc6 and liblzma5) are both already in main. [Standards Compliance] Since xdelta3 is already in debian, I can only assume that it conforms to the related standards. [Maintenance] I think xdelta3 is relatively stable software, and the debian maintenance seems adequate to me to minimise the amount of work we need to do to keep this package in main. [Background Information] The xdelta3 package description contains a basic useful description of the purpose of the package. The motivation behind this MIR is described in the 'rationale' section of this bug report. ** Affects: xdelta3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xdelta3 in Ubuntu. https://bugs.launchpad.net/bugs/1647222 Title: [MIR] xdelta3 Status in xdelta3 package in Ubuntu: New Bug description: MIR for xdelta3 This is a request to include the xdelta3 package in Ubuntu main. See below for point-for-point discussion of the items listed at: https://wiki.ubuntu.com/UbuntuMainInclusionRequirements [Availability] Ubuntu Zesty contains xdelta 3.0.11-dfsg-1 in universe. [Rationale] xdelta3 is required for the 'download delta' feature in snapd. This allows users to save a considerable amount of bandwidth when downloading updates for installed snap packages. The code has all landed in snapd behind a feature flag, but cannot be turned on by default until xdelta3 is in main, so snapd can depend on xdelta3. [Security] There was one CVE files against xdelta3 that I could find: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9765 The xdelta3 package installs a single binary (/usr/bin/xdelta3) which is not suid or sgid. [Quality assurance] - The xdelta3 package requires no configuration after installation. - As far as I can tell, the package asks no debconf questions of any priority. - There are 90 open issues in the upstream bugtracker: https://github.com/jmacd/xdelta/issues - I've scanned the issue list, and while a few issues may impact Ubuntu users using xdelta3, none of them seem serious enough to warrant exclusion from main in my opinion (but what do I know - that's for someone else to determine). - The debian bug tracker contains security bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067 However this is fixed in the upstream release that's in zesty, and I can see a distropatch in the version that's in Xenial (I'm assuming it's been fixed in yakkety as well). - The debian package is maintained by 'A Mennucc1', see: https://packages.qa.debian.org/x/xdelta3.html - The xdelta3 packages does not require any exotic hardware. - I'm honestly not sure if the upstream test suite is run during the package build. I see no explicit test runs in debian/rules, but there is a 'check' make target, so perhaps that's invoked by default? - The package contains a debain/watch file. [UI Standards] The xdelta3 package ships command line utilities, so I think it's except from the requirements of this section. [Dependencies] The two dependencies of xdelta3 (libc6 and liblzma5) are both already in main. [Standards Compliance] Since xdelta3 is already in debian, I can only assume that it conforms to the related standards. [Maintenance] I think xdelta3 is relatively stable software, and the debian maintenance seems adequate to me to minimise the amount of work we need to do to keep this package in main. [Background Information] The xdelta3 package description contains a basic useful description of the purpose of the package. The motivation behind this MIR is described in the 'rationale' section of this bug report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xdelta3/+bug/1647222/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
