[Bug 1746629] Re: [MIR] libbluray
** Tags added: sec-751 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
The request there is a low priority one, would be nice to get it reviewed but after the LTS at this point is alright -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
Thanks for the review Christian. I've slightly updated the description now, libaacs0 is needed to access protected discs so non crypted ones should be fine even without it installed. I don't have a drive on any of my machines to try if some of the datas are correctly fetched without the library on protected disks though ** Description changed: Availability Built for all supported architectures. In sync with Debian. Rationale = gvfs 1.10 added libbluray support 7 years ago. Although enabled in Debian then too, we haven't been able to enable it in Ubuntu because libbluray is not in main. Before that point, gvfs did support Blu-ray but it wasn't as effective as using the library. Note that libbluray does not do decryption; the library allows for showing metadata (title, cover art, etc.) for Blu-ray discs. Security https://security-tracker.debian.org/tracker/source-package/libbluray https://launchpad.net/ubuntu/+source/libbluray/+cve Both security issues in Debian's tracker are about the BD-J package which we are not requesting be promoted to main (see Dependencies below). Quality assurance = - Subscribe the Desktop Bugs and Desktop Packages teams? - No tests - No autopkgtests https://bugs.launchpad.net/ubuntu/+source/libbluray https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libbluray Dependencies We only need the libbluray-dev and libbluray2 binary packages in main. We do not need either libbluray-bin or libbluray-bdj. If this MIR is approved, we should drop libbluray2's Recommends on libaacs0 to Suggests since I believe it's unnecessary here. Standards compliance 4.1.3, debhelper compat 11, dh7 simple rules Maintenance === Actively maintained: http://git.videolan.org/?p=libbluray.git Maintained in Debian by the Debian Multimedia Team. Packaging is at https://salsa.debian.org/multimedia-team/libbluray/ Other Info == Every Ubuntu desktop flavor besides Ubuntu itself includes libbluray. Here's the gvfs commit to switch to libbluray: https://git.gnome.org/browse/gvfs/commit/?id=21c319c8 libbluray API docs: https://www.videolan.org/developers/libbluray/doc/doxygen/html/bluray_8h.html + + Without libaacs0 installed the informations should still be available + for non protected discs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
** Changed in: libbluray (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
[Summary] This looks ok from a MIR POV and you have my Ack IF you can outline a reasonable use case that benefits from libbluray WITHOUT also promoting libaacs0. Please do to in a comment on this bug. This does also need a security review, so I'll assign ubuntu-security now. List of specific binary packages to be promoted to main: - libbluray-dev - libbluray2 Required TODOs: - Please double check that without libaacs0 this is still really a useful use-case to Ubuntu users. Speak up here and outline what use-cases will benefit without libaacs0. Recommended TODOs: - Add some self-tests, see suggestions how to do so below Note: we ship it with the readme already in universe, there is the inherent issue of potential piracy issues being considered related with such libs. But we already ship it (main/universe should not make a difference), we include the disclaimer and this lib does not do any decoding. So it should be fine in that regard to the MIR process. Also from upstream to quote: "Legal: libbluray is DRM-circumvention free, and thus, safe to integrate in your software." [Duplication] No other lib seems to provide this funcitonality. Yet the approach to take libbluray2 but drop the libaacs0 recommends likely ends up in only support for non-commercial blue rays. >From the description: Most commercial Blu-Ray are restricted by AACS or BD+ technologies and this library is not enough to playback those discs. With that in mind is it worth to have libbluray2 "alone"? [Dependencies] OK: - no other Dependencies to MIR due to this (if we keep the bd-j things out) - -dev shall be promotes and -doc has no critical dependencies [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does not parse data formats It will need to parse blue-ray disks (or images) and could be exploited that way. Security should have a look to be sure. [Common blockers] OK: - does not FTBFS currently - The package has a team bug subscriber (desktop team) - no translation present, but none needed for this case (user visible)? - not a python/go package, no extra constraints to consider int hat regard Problems: - does not have a test suite that runs at build time - does not have a test suite that runs as autopkgtest There are soem test tools like ./src/examples/libbluray_test.c that is even shipped with the examples. It shouldn't be too hard to provide some self created m2ts file along that and have an autopkgtest that 1. builds the example against libbluray-dev 2. runs the program to get info from the test file [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking is in place - d/watch is present and looks ok - Upstream update history is ok - Debian/Ubuntu update history is ok - the current release is packaged (a sync and 1.2.1 is in unstable) - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: libbluray (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
** Changed in: libbluray (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => (unassigned) ** Changed in: libbluray (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
I will review this now; but I expect it might need security review as well. ** Changed in: libbluray (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
didrocks asked if this was still relevant, and the answer is yes, it's not a high priority for us but it would still let a bit of delta (in a debian/rules file, in Debian, so not an "Ubuntu" delta but a feature delta), so reviewing would be good -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
The issue with OpenJDK 11 was fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
it's not just building the package with OpenJDK-8, it can't run with OpenJDK-10/11. So better disable the java parts for now? ** Changed in: libbluray (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
** Changed in: libbluray (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
Matthias, thanks for you comment. My originally request is specifically that we *not* include the Java packages in main to keep things simple. So that issue shouldn't affect us since openjdk-8 is still in universe so is ok for a Build-Depends. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
libbluray (1:1.0.2-3) unstable; urgency=medium * debian/: Force building with Java 8 and also required Java 8 JRE during runtime. Upstream currently neither supports building nor running with Java 9 and requires major changes. and we don't have openjdk-8 in main anymore ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
the package ftbfs. see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893227 ** Bug watch added: Debian Bug tracker #893227 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893227 ** Changed in: libbluray (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
desktop-packages has been subscribed to it now ** Changed in: libbluray (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
libbluray is missing a bug subscriber. ** Changed in: libbluray (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
** Description changed: Availability Built for all supported architectures. In sync with Debian. Rationale = gvfs 1.10 added libbluray support 7 years ago. Although enabled in Debian then too, we haven't been able to enable it in Ubuntu because libbluray is not in main. Before that point, gvfs did support Blu-ray but it wasn't as effective as using the library. Note that libbluray does not do decryption; the library allows for showing metadata (title, cover art, etc.) for Blu-ray discs. Security https://security-tracker.debian.org/tracker/source-package/libbluray https://launchpad.net/ubuntu/+source/libbluray/+cve Both security issues in Debian's tracker are about the BD-J package which we are not requesting be promoted to main (see Dependencies below). Quality assurance = - Subscribe the Desktop Bugs and Desktop Packages teams? - No tests - No autopkgtests https://bugs.launchpad.net/ubuntu/+source/libbluray https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libbluray Dependencies We only need the libbluray-dev and libbluray2 binary packages in main. We do not need either libbluray-bin or libbluray-bdj. If this MIR is approved, we should drop libbluray2's Recommends on libaacs0 to Suggests since I believe it's unnecessary here. Standards compliance - 4.1.2, debhelper compat 10, dh7 simple rules + 4.1.3, debhelper compat 11, dh7 simple rules Maintenance === Actively maintained: http://git.videolan.org/?p=libbluray.git Maintained in Debian by the Debian Multimedia Team. Packaging is at https://salsa.debian.org/multimedia-team/libbluray/ Other Info == Every Ubuntu desktop flavor besides Ubuntu itself includes libbluray. Here's the gvfs commit to switch to libbluray: https://git.gnome.org/browse/gvfs/commit/?id=21c319c8 libbluray API docs: https://www.videolan.org/developers/libbluray/doc/doxygen/html/bluray_8h.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs