[Desktop-packages] [Bug 2019951] Re: [MIR] libmysofa

[Seth Arnold]

** Changed in: libmysofa (Ubuntu)
       Status: New => Won't Fix

** Changed in: libmysofa (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libmysofa in Ubuntu.
https://bugs.launchpad.net/bugs/2019951

Title:
  [MIR] libmysofa

Status in libmysofa package in Ubuntu:
  Won't Fix

Bug description:
  [Availability]
  The package libmysofa is already in Ubuntu universe.
  The package libmysofa build for the architectures it is designed to work on.
  It currently builds and works for architetcures: amd64 arm64 armhf i386 
ppc64el riscv64 s390x
  Link to package https://launchpad.net/ubuntu/+source/libmysofa

  [Rationale]
  - The package libmysofa is required in Ubuntu main as a (optional) depends of 
pipewire
  - the library parses spatial audio files which are used by 3D audio systems
  - the libmysofa1 binary needs to be promoted

  - There is no other/better way to solve this that is already in main or
    should go universe->main instead of this.

  - The package libmysofa is required in Ubuntu main no later than August 17th
    due to mantic feature freeze

  [Security]
  - Had 15 security issues in the past which seemed all addressed now in the 
current serie, https://ubuntu.com/security/cves?package=libmysofa
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16095
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16094
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16093
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16092
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16091
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10672
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3756
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6860
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20063
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20016
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36152
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36151
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36150
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36149
            - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36148

  those are also listed in https://security-
  tracker.debian.org/tracker/source-package/libmysofa

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and only has minor 
open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libmysofa/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libmysofa
    - Upstream https://github.com/hoene/libmysofa/issues
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails
    it makes the build fail, link to build log 
https://launchpadlibrarian.net/666631466/buildlog_ubuntu-mantic-amd64.libmysofa_1.3.1~dfsg0-1ubuntu1_BUILDING.txt.gz

  - The package runs an autopkgtest, and is currently passing on
    amd64 arm64 armhf ppc64el s390x
  https://autopkgtest.ubuntu.com/packages/libm/libmysofa

  - The tests fail on i386 due to installability issues of depends which
  isn't an issue

  [Quality assurance - packaging]
  - debian/watch is present and works

  - debian/control defines a correct Maintainer

  - This package has no lintian warnings

  - Please link to a recent build log of the package
  
https://launchpadlibrarian.net/632293649/buildlog_ubuntu-lunar-amd64.libmysofa_1.3.1~dfsg0-1_BUILDING.txt.gz
  - Please attach the full output you have got from `lintian --pedantic`

  # lintian --pedantic libmysofa_1.3.1~dfsg0-1_amd64.changes
  #

  - Lintian overrides are not present

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
  questions

  - Packaging and build is easy, link to debian/rules
  https://salsa.debian.org/multimedia-
  team/libmysofa/-/blob/master/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - Owning Team will be desktop-packages
  - Team is already subscribed to the package

  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based
  - The package has been built in the archive more recently than the last
  - The package successfully built during the most recent test rebuild

  [Background information]
  The Package description explains the package well
  Upstream Name is libmysofa
  Link to upstream project https://github.com/hoene/libmysofa

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libmysofa/+bug/2019951/+subscriptions


-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp