** Description changed: Availability ============ Built for all supported architectures. In sync with Debian. Rationale ========= brotli is a file compression format and library developed and maintained by Google. brotli is required by the WOFF 2.0 format for compressed web fonts. brotli and woff2 are libraries that are technically already in main because they are bundled in Firefox and webkit2gtk. The next major stable release of webkit2gtk, 2.20, will be released in March. It drops those 2 bundled libraries. I think our options are basically 1) Bundle those libraries anyway, or 2) Approve this MIR, or 3) Drop support for the WOFF2 format in webkit2gtk Security ======== brotli is a security-sensitive library. - There is an open security bug for xenial that can be fixed by syncing - 0.3.0+dfsg-3 from Debian. + There is an open security bug for xenial. See LP: #1737364 https://security-tracker.debian.org/tracker/source-package/brotli https://launchpad.net/ubuntu/+source/brotli/+cve Quality assurance ================= - Ubuntu Desktop Bugs is subscribed. - dh_auto_test runs upstream build tests. Test failure would fail the build. - New autopkgtests pass on all arches: http://autopkgtest.ubuntu.com/packages/b/brotli https://ci.debian.net/packages/b/brotli/ https://bugs.launchpad.net/ubuntu/+source/brotli https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=brotli https://github.com/google/brotli/issues Dependencies ============ No universe binary dependencies Standards compliance ==================== 4.1.1, debhelper compat 10, dh7 simple rules Maintenance =========== Actively maintained: https://github.com/google/brotli Not team maintained in Debian. https://tracker.debian.org/pkg/brotli Other Info ========== webkit2gtk is managed similar to Firefox and Chromium. So far, new releases are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu Security Team does not guarantee security support for webkit2gtk. I'm waiting until woff2 is accepted into Debian and Ubuntu to file the woff2 MIR. See https://bugs.debian.org/883828 We are going to need to backport brotli and woff2 into main as security updates for 16.04 LTS and 17.10. The new version of brotli adds new binary packages (in particular, the C library needed by woff2 and webkit2gtk). brotli has no reverse dependencies in 16.04 and 17.10. (fonttools is a reverse-dependency in 18.04.) brotli has a bizarre build system.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737053 Title: [MIR] brotli To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737053/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
