Hi Graham, what (re-)evaluation do you expect at this point in time - the bugs that you so kindly identified and filed and the changes that you and Marco created are neither all completed nor landed in Ubuntu some other way so far. So without starting a deeper review I can say, this still isn't ready due to all the dependencies not being ready yet. And since was a missing link so often (not to you but others) I'll add you link list from the mail to the description).
** Description changed: Please promote the following binary packages built from src:fuse3 to main: - libfuse3-3 - libfuse3-dev [Availability] The inclusion of fuse3 in Ubuntu is fairly recent, first being imported in Focal as a sync from Debian, however its predecessor src:fuse from the same upstream (libfuse [1]) has been packaged in Debian since 2002, it's already in main and has been in Ubuntu forever. The upstream project is "the reference implementation of the Linux FUSE (Filesystem in Userspace) interface" [1] , and can be fully trusted to keep maintaining the package in the foreseeable future. fuse3 is currently a sync from Debian in Focal, Groovy, Hirsute and Impish. [Rationale] QEMU 6.0 added support for FUSE block exports, which allow mounting the guest view of any QEMU block device node as a host file. Debian enabled this feature in src:qemu 1:6.0+dfsg-1~exp0 [3], currently in experimental, by adding a new build-dep on libfuse3-dev [4]. We want to bring this support to Ubuntu when merging qemu 6.0 from Debian, and therefore we need to MIR bin:libfuse3-dev and its runtime counterpart bin:libfuse3-3. [Security] The package is a library and won't add daemons, setuid binaries, or anything requiring authentication. (This is contrast with the bin:fuse3 package which ships a setuid binary, but which is not part of this MIR.) The upstream README.md at [1] has a "Security implications" section which only deals with fuse3, no warning is raised regarding the library. Given the popularity of the project we can assume that Linus' law applies [5]. [Quality assurance] There are 0 open bugs in Ubuntu against src:fuse3. In Debian there are a few bugs against bin:fuse3, including a Serious (=> RC) bug, currently tagged "bullseye-ignore", but considered valid. The bin:fuse3 package is not part of this MIR. (It is likely that we'll want to also MIR bin:fuse3 at some point, and I considered doing so as part of this MIR, but it is more sensible to wait for that RC bug to be fixed before proceeding.) There are no noteworthy Debian bugs against src:fuse3 or any bin: package part of this MIR. [Dependencies] libfuse3-3: libc6 [ok] libfuse3-dev: libfuse3-3, libselinux-dev [ok] fuse3: libc6, libfuse3-3, adduser, mount, sed, lsb-base [ok] [Standards compliance] $ lintian fuse3_3.10.3-2.dsc N: 2 hints overridden (2 errors) The two overridden errors are "source-is-missing" errors for Javascript files which are not used or installed by any binary package: source-is-missing doc/html/jquery.js line length is 32401 characters (>512) source-is-missing doc/html/menu.js line length is 695 characters (>512) The second source-is-missing error looks like a false positive to me (the JS is not minimized). Avoiding the override on jquery would require a +dfsg repacked source, with the extra maintenance it requires. I agree with the overrides in this case. [Maintenance] ============= The Foundations Team maintains fuse (v2) so far and we are looking to them if they plan to transition to and own v3 at some point. -- [1] https://github.com/libfuse/libfuse [2] https://wiki.qemu.org/ChangeLog/6.0 [3] https://metadata.ftp-master.debian.org/changelogs//main/q/qemu/qemu_6.0+dfsg-1~exp0_changelog [4] https://salsa.debian.org/qemu-team/qemu/-/commit/9fdcf4181e1c8120e6b7c9059209656469bf499b [5] https://en.wikipedia.org/wiki/Linus%27s_law [6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984 + + + ---- + + From some later work on the Dependencies, here a list of related + bugs/issues that need to be resolved to make this happen: + + From: + https://lists.ubuntu.com/archives/ubuntu-devel/2021-July/041530.html + + - https://bugs.launchpad.net/ubuntu/+source/fuse3/+bug/1934510 + - https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1935659 + - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1935665 + - https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1935666 + - https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1935667 + - https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal/+bug/1935668 + - https://github.com/libfuse/libfuse/blob/master/ChangeLog.rst#libfuse-300-2016-12-08 + - https://github.com/ceph/ceph/commit/cb0a600acfca76c5b4653e4c6f34c1712a2da9de + - https://gitlab.gnome.org/GNOME/gvfs/-/commit/7a0a06186b6fef07b8fce2360c04fd075fc84ed1 + - https://github.com/OpenMandrivaAssociation/grub2/blob/master/grub-2.02-fuse3.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934510 Title: [MIR] fuse3 as a dependency of qemu 6.0 and GNOME apps To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fuse3/+bug/1934510/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
