Utkarsh asked me to re-evaluate this with my MIR hat in regard to the posibility to promote jq (and the libonig dependency) in focal as well.
Ownership: #1 Those are owned by the server team and not representing a storm of activity as they are good citizen packages usually just working. So I'd be ok with my Server hat to own them in focal too. MIR / QA requirements: - dependencies did not change libjq1 -> libonig5 + libc6 - OK - Both have extensive build time tests, with today's ruling and guidance we'd most likely insist stronger on an autopkgtest than we did back then. But that does not need to block the promotion of the old in this case here, focal is changing the fewest of all releases this would be in main. - problems back then have been that there are plenty of regex libs, but the world can't standardize :-/ this won't be fixed as part of a backward looking promotion - other problems back then have been that these are security sensitive, which can also be seen in the amount of CVEs found and fixed. - no massive differences in packaging or upstream content in regard to what was promoted (hirsute) and asked to be promoted now (focal) #2 testing => Other than the nowadays increased desire for autopkgtests I found nothing huge. Let us talk about these ... @Utkarsh I feel I might give you a too easy pass, how do you feel about looking at the old task of: """ Recommended but optional: - adding a autopkgtest would be useful to detect issues early on """ But with today's no more so optional, stance. If that goes to plucky and works well it can go to -proposed with block-proposed (or whatever the SRU team prefers) in older releases. Even having it in the new release helps as breakage there likely translates to backporting the same in security and SRU fixes. I'm happy to work on this one with you if you want - for fairness as we didn't get to it when it was more optional. Security: #3 ESM vs Main implications It needs to get an security ack and statement of doability, because while it is functionally without much issues there have been various CVE fixes via Ubuntu Pro to this package in universe. Pulling it into main would need to push them to the normal archive to not suddenly open things up in main. Also some former prio triage might no more apply. I see 3 for jq and 6 for libonig in - https://ubuntu.com/security/cves?package=jq&version=focal&limit=100 - https://ubuntu.com/security/cves?package=libonig&version=focal&limit=100 To be fair, most are for tracking and "not affected" means we already had the fix or the old version was not affected. One is listed as "Fixed 6.9.2-1" in focal, but it released with 6.9.4-1 so all might be fine. #4 libonig updates I quote from the securiy review "The code has matured a lot in the past months, but still it is a regex library and as always regexes can be tricky, so issues might still come up.". That was for 6.9.5-2 but focal is on 6.9.4-1 Gladly https://github.com/deepin-community/libonig suggests the critical things he refers to are in 6.9.4 (many CVEs fixed), but still - worth a security re-ack as well. So overall, MIR Ack for focal promotion of jq and libonig once: - Autopkgtests are added (at least to the new release) - Ack by security as well - assigning to them for having a look too. ** Changed in: jq (Ubuntu Focal) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Changed in: libonig (Ubuntu Focal) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889248 Title: [MIR] mdevctl, jq, libonig To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
