[Bug 2115912] Re: [MIR] showtime
The debcrafters-packages is subscribed now and I've done the promotion $ ./change-override -c main -S showtime Override component to main showtime 50~rc-1 in resolute: universe/misc -> main showtime 50~rc-1 in resolute amd64: universe/video/optional/100% -> main showtime 50~rc-1 in resolute amd64v3: universe/video/optional/100% -> main showtime 50~rc-1 in resolute arm64: universe/video/optional/100% -> main showtime 50~rc-1 in resolute armhf: universe/video/optional/100% -> main showtime 50~rc-1 in resolute i386: universe/video/optional/100% -> main showtime 50~rc-1 in resolute ppc64el: universe/video/optional/100% -> main showtime 50~rc-1 in resolute riscv64: universe/video/optional/100% -> main showtime 50~rc-1 in resolute s390x: universe/video/optional/100% -> main Override [y|N]? y 9 publications overridden. ** Changed in: showtime (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
gir1.2-gst-plugins-extra-1.0 is in resolute now -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
** Merge proposal linked: https://code.launchpad.net/~charles05/ubuntu-seeds/+git/ubuntu-seeds/+merge/501113 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
I think we need gir1.2-gst-plugins-extra-1.0 to get into resolute release before we do those steps. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
Here is a recommended order: - Update the desktop seed - Wait a few hours for showtime to show on https://ubuntu-archive-team.ubuntu.com/component-mismatches.html - Have an Archive Admin promote showtime - Wait a few hours for that change to be fully published - Then run the ./update script in ubuntu-meta and upload Packages in parentheses in the seeds are Recommends instead of Depends. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
Before an Archive Admin can promote showtime to main, something in main must recommend or depend on it or it needs to be added to a seed such as supported. In this particular case, I think you want to add showtime [and totem- video-thumbnailer] and remove totem from the desktop seed at https://code.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/ubuntu And then someone needs to run the ./update script for the ubuntu-meta source package and upload it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
Moving to In Progress so an archive admin can perform the seed change. The the Ubuntu delta was accepted into proposed as 50~beta-1ubuntu1 now ** Changed in: showtime (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
> Required TODOs: > - #1 drop the dependency on gir1.2-gst-plugins-bad1.0 (and bring back one to > gir1.2-gst-plugins-extra1.0 once LP: #2121050 is resolved) This is now complete, since #2121050 is resolved. We haven't had time to improve the security hardening. A PPA build for reference is available here: https://launchpad.net/~charles05/+archive/ubuntu/gg/+sourcepub/18132952/+listing- archive-extra And the MR to incorporate a Ubuntu delta for depending on -extra rather than -bad is in: https://salsa.debian.org/gnome- team/showtime/-/merge_requests/1 ** Changed in: showtime (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
Confirmed in the MIR meeting, to be ok without a security review. Just complete http://bugs.launchpad.net/bugs/2121050 and this is ok to go as well. Otherwise make us and yourself happy by looking at the recommended further tasks please :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
Back to incomplete while waiting for http://bugs.launchpad.net/bugs/2121050 but otherwise ready with the optional bonus of finding the change to do some security hardening. I'd suggest we discuss in the next MIR meeting for opinions on a security review being mandatory or not (I think not) or if you'd just like to have it. ** Changed in: showtime (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => (unassigned) ** Changed in: showtime (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
Let me thank you for such a well prepared MIR case. All I came up with was already answered in the original report \o/. Review for Source Package: showtime [Summary] MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. I was torn, but I really could not find much it would process itself. While a security review is always good to have I consider it optional here. List of specific binary packages to be promoted to main: showtime Specific binary packages built, but NOT to be promoted to main: n/a Notes: Required TODOs: - #1 drop the dependency on gir1.2-gst-plugins-bad1.0 (and bring back one to gir1.2-gst-plugins-extra1.0 once LP: #2121050 is resolved) Recommended TODOs: - #2 This switch from one to the newer playe would be the moment to think about isolation features. It is not a service, and apparmor rules might be hard as it is supposed to play video files from anywhere. But would it need to write anywhere? I know usually the approach is default deny and allow a few but maybe here the approach could be default allow but deny some clearly non needed things? Similarly, capability dropping or any such. This is very optional, but worth a look at least as it would be great if it would be possible. And while the actual decoding is in gstreamer so most attacks would be there, some defense in depth if broken there would be great. Consider this non-blocking please. [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality, sure totem is, but this is intended to switch one for the newer other. A team is committed to own long term maintenance of this package. The rationale given in the report seems valid and useful for Ubuntu [Dependencies] OK: - no other build-time Dependencies with active code in the final binaries to MIR due to this - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: - There are other runtime Dependencies to MIR due to this, but you are already aware of gir1.2-gst-plugins-bad1.0 and I agree that a more fine grained split into gir1.2-gst-plugins-extra-1.0 for those that are more reasonable is a good approach. But ultimately you need to put -bad down to be a suggest and can introduce a depends or recommends to -extra once it exists. [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - history of CVEs does not look concerning but let us be honest, it is too new to have them. - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - I was first assuming otherwise but it really seems to not parse/, decode, or extract the video itself. It does all that through URLs and Gstreamer objects which is great as it is not yet another attack surface AFAICS. - does not expose any external endpoint (port/socket/... or similar) - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) Problems: - does not process arbitrary web content (not directly, but who knows where such files are from) but gladly it does not parse/handle it itself (see above yet delegates all to a proven library which is the right approach) - this does not makes appropriate use of established risk mitigation features, on the lib we would say "it is the lib it can't" but here we would know better. I've added a non-blocking suggestion about that. - btw it isn't a classic daemon service, but it is a dbus registered service but that has no impact to our judgement AFAICS. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - no new python2 dependency - Python package, but using dh_python Problems: - does not have a non-trivial test suite that runs as autopkgtest, but really it is mostly a new gui wrapper on gstreamer. In theory one could say for all the accelerations a multitude of HW is needed, but that would be non-proportional to what we usually require. I'm glad to see that a, albeit basic, test plan was already defined in https://wiki.ubuntu.com/DesktopTeam/TestPlans/Showtime and think that is sufficient. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - debian/watch is present and looks ok - Upstream update h
[Bug 2115912] Re: [MIR] showtime
FYI, I didn't manage to pick this up prior to the EOY downtime and these days are busy :-/ I tried to allocate some time later this week hoping to then unblock you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
I was expecting something like that reading [1] somewhen earlier this year, just unsure about the timing. I'll have a look as soon as I can find the time to do so. [1]: https://itsfoss.com/news/gnome-new-default-video-player/ ** Changed in: showtime (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
** Description changed: [Availability] The package showtime is already in Ubuntu universe. The package showtime build for the architectures it is designed to work on. It currently builds and works for architectures: all except i386 Link to package https://launchpad.net/ubuntu/+source/showtime [Rationale] - The package showtime is required in Ubuntu main as a default video player for Ubuntu Desktop. - The package showtime will generally be useful for a large part of our user base - Package showtime covers the same use case as totem, but is better because it is more actively maintained and has improved UI/UX, thereby we want to replace it. GNOME Core officially switched from totem to showtime for GNOME 49 and we want to do that swap too. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package showtime needs to be in main to achieve a better video player for Ubuntu Desktop. - All binary packages built by showtime need to be in main. (There is only one binary package.) - It would be great and useful to community/processes to have the package showtime in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/showtime - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=showtime - Upstream https://gitlab.gnome.org/GNOME/showtime/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a few trivial metadata validation tests on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/showtime/49.0-1/+latestbuild/amd64 It does not run more extensive tests because build time tests wouldn't do a very good job of testing this app's specific functionality. The app is mostly a frontend to gstreamer which does have a stronger testing story. - The package does not run an autopkgtest because it is a GUI video player app and autopkgtest isn't a good fit for this kind of package. To make up for that, we have detailed test plans for GStreamer and Showtime, https://wiki.ubuntu.com/DesktopTeam/TestPlans/GStreamer https://wiki.ubuntu.com/DesktopTeam/TestPlans/Showtime Due to the nature, integration and use cases of the package the consequences of a regression that might slip through most likely would include users not being able to playback media files. [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/showtime/49.0-1/+latestbuild/amd64 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/gnome-team/showtime/-/blob/debian/latest/debian/rules [UI standards] - Application is end-user facing, Translation is present, via standard gettext - End-user applications that ships a standard conformant desktop file, see https://salsa.debian.org/gnome-team/showtime/-/blob/debian/latest/data/org.gnome.Showtime.desktop.in [Dependencies] - gir1.2-gst-plugins-bad1.0 being split to gir1.2-gst-plugins-extra-1.0 LP: #2121050 Used check-mir from ubuntu-dev-tools to validate all other dependencies or recommends are in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be debcrafters-packages and I have their acknowledgment for that commitment - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built w
[Bug 2115912] Re: [MIR] showtime
** Description changed: [Availability] The package showtime is already in Ubuntu universe. The package showtime build for the architectures it is designed to work on. It currently builds and works for architectures: all except i386 Link to package https://launchpad.net/ubuntu/+source/showtime [Rationale] - The package showtime is required in Ubuntu main as a default video player for Ubuntu Desktop. - The package showtime will generally be useful for a large part of our user base - Package showtime covers the same use case as totem, but is better because it is more actively maintained and has improved UI/UX, thereby we want to replace it. GNOME Core officially switched from totem to showtime for GNOME 49 and we want to do that swap too. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package showtime needs to be in main to achieve a better video player for Ubuntu Desktop. - All binary packages built by showtime need to be in main. (There is only one binary package.) - It would be great and useful to community/processes to have the package showtime in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/showtime - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=showtime - Upstream https://gitlab.gnome.org/GNOME/showtime/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a few trivial metadata validation tests on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/showtime/49.0-1/+latestbuild/amd64 It does not run more extensive tests because build time tests wouldn't do a very good job of testing this app's specific functionality. The app is mostly a frontend to gstreamer which does have a stronger testing story. - The package does not run an autopkgtest because it is a GUI video player app and autopkgtest isn't a good fit for this kind of package. To make up for that, we have detailed test plans for GStreamer and Showtime, https://wiki.ubuntu.com/DesktopTeam/TestPlans/GStreamer https://wiki.ubuntu.com/DesktopTeam/TestPlans/Showtime Due to the nature, integration and use cases of the package the consequences of a regression that might slip through most likely would include users not being able to playback media files. [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/showtime/49.0-1/+latestbuild/amd64 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/gnome-team/showtime/-/blob/debian/latest/debian/rules [UI standards] - Application is end-user facing, Translation is present, via standard gettext - End-user applications that ships a standard conformant desktop file, see https://salsa.debian.org/gnome-team/showtime/-/blob/debian/latest/data/org.gnome.Showtime.desktop.in [Dependencies] - gir1.2-gst-plugins-bad1.0 being split to gir1.2-gst-plugins-extra-1.0 LP: #2121050 Used check-mir from ubuntu-dev-tools to validate all other dependencies or recommends are in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be debcrafters-packages and I have their acknowledgment for that commitment - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built w
[Bug 2115912] Re: [MIR] showtime
** Description changed: [Availability] The package showtime is already in Ubuntu universe. The package showtime build for the architectures it is designed to work on. It currently builds and works for architectures: all except i386 Link to package https://launchpad.net/ubuntu/+source/showtime [Rationale] - The package showtime is required in Ubuntu main as a default video player for Ubuntu Desktop. - The package showtime will generally be useful for a large part of our user base - Package showtime covers the same use case as totem, but is better because it is more actively maintained and has improved UI/UX, thereby we want to replace it. GNOME Core officially switched from totem to showtime for GNOME 49 and we want to do that swap too. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package showtime needs to be in main to achieve a better video player for Ubuntu Desktop. - All binary packages built by showtime need to be in main. (There is only one binary package.) - It would be great and useful to community/processes to have the package showtime in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/showtime - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=showtime - Upstream https://gitlab.gnome.org/GNOME/showtime/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a few trivial metadata validation tests on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/showtime/49.0-1/+latestbuild/amd64 It does not run more extensive tests because build time tests wouldn't do a very good job of testing this app's specific functionality. The app is mostly a frontend to gstreamer which does have a stronger testing story. - The package does not run an autopkgtest because it is a GUI video - player app and autopkgtest isn't a good fit for this kind of package + player app and autopkgtest isn't a good fit for this kind of package. To + make up for that, we have detailed test plans for GStreamer and + Showtime, https://wiki.ubuntu.com/DesktopTeam/TestPlans/GStreamer + https://wiki.ubuntu.com/DesktopTeam/TestPlans/Showtime - RULE: - If no build tests nor autopkgtests are included, and/or if the package - RULE: requires specific hardware to perform testing, the subscribed team - RULE: must provide a written test plan in a comment to the MIR bug, and - RULE: commit to running that test either at each upload of the package or - RULE: at least once each release cycle. In the comment to the MIR bug, - RULE: please link to the codebase of these tests (scripts or doc of manual - RULE: steps) and attach a full log of these test runs. This is meant to - RULE: assess their validity (e.g. not just superficial). - RULE: If possible such things should stay in universe. Sometimes that is - RULE: impossible due to the way how features/plugins/dependencies work - RULE: but if you are going to ask for promotion of something untestable - RULE: please outline why it couldn't provide its value (e.g. by splitting - RULE: binaries) to users from universe. - RULE: This is a balance that is hard to strike well, the request is that all - RULE: options have been exploited before giving up. Look for more details - RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30 - RULE: Just like in the SRU process it is worth to understand what the - RULE: consequences a regression (due to a test miss) would be. Therefore - RULE: if being untestable we ask to outline what consequences this would - RULE: have for the given package. And let us be honest, even if you can - RULE: test you are never sure you will be able to catch all potential - RULE: regressions. So this is mostly to force self-awareness of the owning - RULE: team than to make a decision on. - TODO: - The package can not be well tested at build or autopkgtest time - TODO: because TBD. To make up for that: - TODO-E: - We have checked and found a simulator which covers this case - TODO-E: sufficien
[Bug 2115912] Re: [MIR] showtime
** Changed in: showtime (Ubuntu) Importance: Undecided => High ** Changed in: showtime (Ubuntu) Status: Incomplete => In Progress ** Changed in: showtime (Ubuntu) Assignee: (unassigned) => Charles (charles05) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
** Description changed: [Availability] The package showtime is already in Ubuntu universe. The package showtime build for the architectures it is designed to work on. It currently builds and works for architectures: all except i386 Link to package https://launchpad.net/ubuntu/+source/showtime [Rationale] - The package showtime is required in Ubuntu main as a default video player for Ubuntu Desktop. - The package showtime will generally be useful for a large part of our user base - Package showtime covers the same use case as totem, but is better because it is more actively maintained and has improved UI/UX, thereby we want to replace it. GNOME Core officially switched from totem to showtime for GNOME 49 and we want to do that swap too. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package showtime needs to be in main to achieve a better video player for Ubuntu Desktop. - All binary packages built by showtime need to be in main. (There is only one binary package.) - It would be great and useful to community/processes to have the package showtime in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/showtime - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=showtime - Upstream https://gitlab.gnome.org/GNOME/showtime/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a few trivial metadata validation tests on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/showtime/49.0-1/+latestbuild/amd64 It does not run more extensive tests because build time tests wouldn't do a very good job of testing this app's specific functionality. The app is mostly a frontend to gstreamer which does have a stronger testing story. - The package does not run an autopkgtest because it is a GUI video player app and autopkgtest isn't a good fit for this kind of package + + https://wiki.ubuntu.com/DesktopTeam/TestPlans/GStreamer RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial). RULE: If possible such things should stay in universe. Sometimes that is RULE: impossible due to the way how features/plugins/dependencies work RULE: but if you are going to ask for promotion of something untestable RULE: please outline why it couldn't provide its value (e.g. by splitting RULE: binaries) to users from universe. RULE: This is a balance that is hard to strike well, the request is that all RULE: options have been exploited before giving up. Look for more details RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30 RULE: Just like in the SRU process it is worth to understand what the RULE: consequences a regression (due to a test miss) would be. Therefore RULE: if being untestable we ask to outline what consequences this would RULE: have for the given package. And let us be honest, even if you can RULE: test you are never sure you will be able to catch all potential RULE: regressions. So this is mostly to force self-awareness of the owning RULE: team than to make a decision on. TODO: - The package can not be well tested at build or autopkgtest time TODO: because TBD. To make up for that: TODO-E: - We have checked and found a simulator which covers this case TODO-E: sufficiently for testing, our plan to use it is TBD TODO-F: - We have engaged with the upstream community and due to that TODO-F: can tests new package builds via TBD TODO-G: - We have engaged with our use
[Bug 2115912] Re: [MIR] showtime
** Changed in: showtime (Ubuntu) Status: Expired => Incomplete ** Description changed: [Availability] The package showtime is already in Ubuntu universe. The package showtime build for the architectures it is designed to work on. It currently builds and works for architectures: all except i386 Link to package https://launchpad.net/ubuntu/+source/showtime [Rationale] - The package showtime is required in Ubuntu main as a default video player for Ubuntu Desktop. - The package showtime will generally be useful for a large part of our user base - Package showtime covers the same use case as totem, but is better because it is more actively maintained and has improved UI/UX, thereby we want to replace it. GNOME Core officially switched from totem to showtime for GNOME 49 and we want to do that swap too. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package showtime needs to be in main to achieve a better video player for Ubuntu Desktop. - All binary packages built by showtime need to be in main. (There is only one binary package.) - - It would be great and useful to community/processes to have the package showtime in Ubuntu main, but there is no definitive deadline. Specifically, although Loupe and Ptyxis were mentioned in Ubuntu Desktop 25.10 plans, Showtime was not; therefore Showtime is a lower priority than those other apps. - https://discourse.ubuntu.com/t/ubuntu-desktop-25-10-the-questing-quokka-roadmap/61159 + - It would be great and useful to community/processes to have the + package showtime in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/showtime - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=showtime - Upstream https://gitlab.gnome.org/GNOME/showtime/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a few trivial metadata validation tests on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/showtime/49~alpha-2/+latestbuild/amd64 It does not run more extensive tests because build time tests wouldn't do a very good job of testing this app's specific functionality. The app is mostly a frontend to gstreamer which does have a stronger testing story. - The package does not run an autopkgtest because it is a GUI video player app and autopkgtest isn't a good fit for this kind of package RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial). RULE: If possible such things should stay in universe. Sometimes that is RULE: impossible due to the way how features/plugins/dependencies work RULE: but if you are going to ask for promotion of something untestable RULE: please outline why it couldn't provide its value (e.g. by splitting RULE: binaries) to users from universe. RULE: This is a balance that is hard to strike well, the request is that all RULE: options have been exploited before giving up. Look for more details RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30 RULE: Just like in the SRU process it is worth to understand what the RULE: consequences a regression (due to a test miss) would be. Therefore RULE: if being untestable we ask to outline what consequences this would RULE: have for the given package. And let us be honest, even if you can RULE: test you are never sure you will be able to catch all potential RULE: regressions. So this is mostly to force self-awareness of the owning RULE: team than to make a decision on. TODO: - The pa
[Bug 2115912] Re: [MIR] showtime
[Expired for showtime (Ubuntu) because there has been no activity for 60 days.] ** Changed in: showtime (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115912 Title: [MIR] showtime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/showtime/+bug/2115912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2115912] Re: [MIR] showtime
** Description changed: [Availability] The package showtime is already in Ubuntu universe. The package showtime build for the architectures it is designed to work on. It currently builds and works for architectures: all except i386 Link to package https://launchpad.net/ubuntu/+source/showtime [Rationale] - The package showtime is required in Ubuntu main as a default video player for Ubuntu Desktop. - The package showtime will generally be useful for a large part of our user base - Package showtime covers the same use case as totem, but is better because it is more actively maintained and has improved UI/UX, thereby we want to replace it. GNOME Core officially switched from totem to showtime for GNOME 49 and we want to do that swap too. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package showtime needs to be in main to achieve a better video player for Ubuntu Desktop. - All binary packages built by showtime need to be in main. (There is only one binary package.) - It would be great and useful to community/processes to have the package showtime in Ubuntu main, but there is no definitive deadline. Specifically, although Loupe and Ptyxis were mentioned in Ubuntu Desktop 25.10 plans, Showtime was not; therefore Showtime is a lower priority than those other apps. https://discourse.ubuntu.com/t/ubuntu-desktop-25-10-the-questing-quokka-roadmap/61159 [Security] - No CVEs/security issues in this software in the past - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/showtime - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=showtime - Upstream https://gitlab.gnome.org/GNOME/showtime/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a few trivial metadata validation tests on build time, if it fails it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/showtime/49~alpha-2/+latestbuild/amd64 It does not run more extensive tests because build time tests wouldn't do a very good job of testing this app's specific functionality. The app is mostly a frontend to gstreamer which does have a stronger testing story. - The package does not run an autopkgtest because it is a GUI video player app and autopkgtest isn't a good fit for this kind of package RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial). RULE: If possible such things should stay in universe. Sometimes that is RULE: impossible due to the way how features/plugins/dependencies work RULE: but if you are going to ask for promotion of something untestable RULE: please outline why it couldn't provide its value (e.g. by splitting RULE: binaries) to users from universe. RULE: This is a balance that is hard to strike well, the request is that all RULE: options have been exploited before giving up. Look for more details RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30 RULE: Just like in the SRU process it is worth to understand what the RULE: consequences a regression (due to a test miss) would be. Therefore RULE: if being untestable we ask to outline what consequences this would RULE: have for the given package. And let us be honest, even if you can RULE: test you are never sure you will be able to catch all potential RULE: regressions. So this is mostly to force self-awareness of the owning RULE: team than to make a decision on. TODO: - The package can not be well tested at build or autopkgtest time TODO: because TBD. To make up for that: TODO-E: - We have checked and found a simulator which covers this case TODO-E: sufficiently for tes
