** Description changed: [Availability] The package libyang2 is already in Ubuntu universe. The package libyang2 builds for the architectures it is designed to work on. It currently builds and works for architetcures (all but i386): amd64 arm64 armhf ppc64el riscv64 s390x Link to package: https://launchpad.net/ubuntu/+source/libyang2 [Rationale] - The package libyang2 is a new runtime dependency of package frr which is an ongoing MIR at #1951834 [Security] - Search in the National Vulnerability Database using the PKG as keyword http://cve.mitre.org/cve/search_cve_list.html libyang had quite a few CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libyang But all in major version 1. Version 2 (subject of this MIR) doesn't have CVEs yet. Going over the above CVEs for 2021, for example, shows that only gentoo issued advisories. The remaining ones for 2019 had a mix of Redhat and Fedora advisories, and not even gentoo ones. - check OSS security mailing list (feed into search engine 'site:www.openwall.com/lists/oss-security <pkgname>') No results (libyang2, libyang). "yang" returns results for a person with that name. Not a single triaged CVE for libyang v1: https://ubuntu.com/security/cve?q=&package=libyang&priority=&version=&status= v2 has no Ubuntu CVEs (makes sense: it'a s new package in jammy): https://ubuntu.com/security/cve?q=&package=libyang&priority=&version=&status= Debian security tracker: https://security-tracker.debian.org/tracker/source-package/libyang libyang2 has no entries yet in the debian security tracker: https://security-tracker.debian.org/tracker/source-package/libyang2 Looks like Debian never issued a DSA for these. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services - libyang is a schema validator, and bugs can become vulnerabilities if untrusted input is parsed incorrectly. [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open No launchpad bugs for either libyang or libyang2 - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libyang CVE bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989060 Probably not handled because libyang2 is replacing libyang(1), and doesn't have these vulns - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libyang2 No bugs yet against libyang2 - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package has a test suite, but it's disabled. Enabling it in d/rules - shows 2 failures and the build aborts: - (...) - 96% tests passed, 2 tests failed out of 57 + The package has a test suite, but it was originally disabled. I filed this bug and enabled its: https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958385 - Total Test time (real) = 0.83 sec + The current package in jammy runs tests at build time: - The following tests FAILED: - 29 - utest_inout (Failed) - 30 - utest_context (Failed) - Errors while running CTest - make[1]: *** [Makefile:74: test] Error 8 - make[1]: Leaving directory '/home/ubuntu/git/packages/libyang2/libyang2/obj-x86_64-linux-gnu' - dh_auto_test: error: cd obj-x86_64-linux-gnu && make -j4 test ARGS\+=--verbose ARGS\+=-j4 returned exit code 2 - make: *** [debian/rules:8: build] Error 25 - dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 + libyang2 (2.0.112-6ubuntu1) jammy; urgency=medium - This should be investigate: - - why is it not enabled by default? (Possibly an oversight) - - fix the failures - - this also increases the build time considerably, about 15x - - is the build with tests different, i.e., does it contain debug code? Maybe we need two builds + * Enable build time tests (LP: #1958385): + - d/rules: set -DENABLE_TESTS=ON + - d/p/fix-test-suite-wrt-FILE.patch: fix test suite failure due + to __FILE__ being a relative path - I filed a bug about this: - https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958385 + -- Andreas Hasenack <[email protected]> Thu, 20 Jan 2022 21:03:40 + +0000 + Upstream already provided a fix for the test failures. - The package runs an autopkgtest, and is currently passing on this all arches except i386 (it's not built for i386): https://autopkgtest.ubuntu.com/packages/libyang2 - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - lintian run is ok-ish: $ lintian -I --pedantic E: libyang2 changes: bad-distribution-in-changes-file unstable W: libyang2-tools: groff-message usr/share/man/man1/yanglint.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 W: libyang2-tools: groff-message usr/share/man/man1/yangre.1.gz command exited with status 1: /usr/libexec/man-db/zsoelim | /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 I: libyang2 source: out-of-date-standards-version 4.5.0 (released 2020-01-20) (current is 4.5.1) I: libyang2: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libyang.so.2.13.7 unkown unknown I: libyang2: symbols-file-missing-build-depends-package-field I: libyang2 source: unused-file-paragraph-in-dep5-copyright paragraph at line 13 I: libyang2 source: unused-file-paragraph-in-dep5-copyright paragraph at line 138 I: libyang2 source: unused-file-paragraph-in-dep5-copyright paragraph at line 17 I: libyang2 source: unused-file-paragraph-in-dep5-copyright ... use --no-tag-display-limit to see all (or pipe to a file/program) I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright */iana-*.yin (line 24) I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright linenoise/* (line 37) I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright swig/* (line 9) I: libyang2 source: wildcard-matches-nothing-in-dep5-copyright ... use --no-tag-display-limit to see all (or pipe to a file/program) P: libyang2 source: package-uses-old-debhelper-compat-version 10 P: libyang2 source: silent-on-rules-requiring-root - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. Note that libyang1 relied on pcre3, but libyang2 (this package) uses pcre2 already. - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/libyang2/tree/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further depends or recommends dependencies that are not yet in main $ check-mir Checking support status of build dependencies... * libcmocka-dev binary and source package is in universe Checking support status of binary dependencies... * libyang2 binary and source package is in universe * libyang2 binary and source package is in universe * libyang2-tools binary and source package is in universe cmocka is used for unit tests only, at build time, when enabled [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - Server Team is not yet, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code [Background information] - The Package description explains the package well - Upstream Name is libyang - Link to upstream project: https://github.com/CESNET/libyang/
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1958293 Title: [MIR]: libyang2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958293/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
