Public bug reported: [Availability] ✅ The package nghttp3 is already in Ubuntu universe. ✅ The package nghttp3 builds for the architectures it is designed to work on. ✅ It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package: https://launchpad.net/ubuntu/+source/nghttp3
[Rationale and Background Information] === Why nghttp2? === To describe why nghttp3 is needed, I should first describe where nghttp2 is used. From the upstream description: > This is an implementation of the Hypertext Transfer Protocol version 2 in C. > The framing layer of HTTP/2 is implemented as a reusable C library. On top of > that, we have implemented an HTTP/2 client, server and proxy. We have also > developed load test and benchmarking tools for HTTP/2. An HPACK encoder and > decoder are available as a public API. Currently, the following reverse dependencies exist for nghttp2 in Main: - apache2 - bind9 - curl - unbound Additionally, many HTTP 2 implementations exist in the archive already: $ apt list | grep http2 golang-github-moul-http2curl-dev/plucky,plucky 0.0~git20161031.0.4e24498+dfsg-1.1 all libghc-http2-dev/plucky 5.0.1-1 libghc-http2-doc/plucky,plucky 5.0.1-1 libghc-http2-prof/plucky 5.0.1-1 libghc-wai-http2-extra-dev/plucky 0.1.3-4build1 libghc-wai-http2-extra-doc/plucky,plucky 0.1.3-4build1 libghc-wai-http2-extra-prof/plucky 0.1.3-4build1 libnghttp2-14/plucky,now 1.64.0-1 libnghttp2-dev/plucky,now 1.64.0-1 libnghttp2-doc/plucky,plucky 1.64.0-1 libprotocol-http2-perl/plucky,plucky 1.11-1 librust-curl+http2-dev/plucky 0.4.44-4 librust-curl-sys+http2-dev/plucky 0.4.67-2 librust-libnghttp2-sys-dev/plucky 0.1.3-1 libyubihsm-http2/plucky 2.6.0-4 nghttp2-client/plucky,now 1.64.0-1 nghttp2-proxy/plucky,now 1.64.0-1 nghttp2-server/plucky,now 1.64.0-1 nghttp2/plucky,plucky,now 1.64.0-1 ruby-protocol-http2/plucky,plucky 0.14.2-1 === Why nghttp3? === Firstly, the question of promoting nghttp3 came up in the context of curl. In Debian, the curl maintainer has set binary packages of nghttp3 as both runtime and build dependencies, increasing the delta. Enabling HTTP 3 support in curl and its reverse dependencies is important for enabling Ubuntu-powered devices to utilize HTTP/3, the next HTTP standard. While it is outside the scope of this MIR, HTTP/3 offers substantial performance improvements over HTTP/1.1 or HTTP/2, and is something users will certainly want enabled in curl. Additionally, this will also enable other packages in Main to implement and utilize HTTP 3 support in an easier way. While many HTTP 2 libraries exist, this is the only one with HTTP 3 in the name: $ apt list | grep http3 libnghttp3-9/plucky 1.6.0-2 amd64 libnghttp3-dev/plucky 1.6.0-2 amd64 Not only will packages like apache2 and curl be able to depend on nghttp3, HTTP/3 bindings for languages like Rust and Perl as seen above can be promoted to Main, as well. I am fairly confident that there is no other package that solves this specific need in Plucky, in Universe, Main, or otherwise. While I understand this is a fairly short deadline, I would certainly appreciate a review on this before Plucky's Beta Freeze, which will allow me to file a Feature Freeze Exception to add this to curl. If this is not feasible, please let me know. [Security] ✅ https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nghttp3 is empty ✅ No search engine results for `site:www.openwall.com/lists/oss-security nghttp3` ✅ No CVEs present on the Ubuntu CVE Tracker: https://ubuntu.com/security/cves?package=nghttp3 ✅ No CVEs present on the Debian Security Tracker: https://security-tracker.debian.org/tracker/source-package/nghttp3 ✅ no `suid` or `sgid` binaries ✅ no executables in `/sbin` and `/usr/sbin` ✅ nghttp3 does not install services, timers or recurring jobs ✅ nghttp3 may assist in opening or running on port 443, UDP or TCP, since it is an HTTP/3 library ✅ Packages does not contain extensions to security-sensitive software Please take a look; I'd expect this to be fairly clean, but of course I can't be 100% sure. [Quality assurance - function/usage] ✅ The package works well right after install It's a library; it works well. [Quality assurance - maintenance] ✅ No open bugs in Ubuntu, besides this one. ✅ One open Debian bug, opened en masse due to GCC 15, this is targeted for Trixie+1 so there's plenty of time. ✅ Only one open upstream issue, and it's a feature request. [Quality assurance - testing] ✅ The package runs a test suite on build time, if it fails it makes the build fail: https://launchpadlibrarian.net/760847134/buildlog_ubuntu-plucky-amd64.nghttp3_1.6.0-2_BUILDING.txt.gz nghttp2 contains a trivial autopkgtest, I can copy that over or write something basic, but the testing is done during the build, mainly. [Quality assurance - packaging] ✅ debian/watch is present and works ✅ debian/control defines a correct Maintainer field RULE: - It is often useful to run `lintian --pedantic` on the package to spot RULE: the most common packaging issues in advance RULE: - Non-obvious or non-properly commented lintian overrides should be RULE: explained TODO: - This package does not yield massive lintian Warnings, Errors TODO: - Please link to a recent build log of the package <TBD> TODO: - Please attach the full output you have got from TODO: `lintian --pedantic` as an extra post to this bug. TODO-A: - Lintian overrides are not present TODO-B: - Lintian overrides are present, but ok because TBD ✅ This package does not rely on obsolete or about to be demoted packages. ✅ This package has no python2 or GTK2 dependencies ✅ The package will be installed by default, but does not ask debconf questions higher than medium ✅ Packaging and build is easy: https://salsa.debian.org/debian/nghttp3/-/blob/debian/unstable/debian/rules?ref_type=heads [UI standards] ✅ Application is not end-user facing (does not need translation) [Dependencies] ✅ No further depends or recommends dependencies that are not yet in main [Standards compliance] ✅ This package correctly follows FHS and Debian Policy [Maintenance/Owner] I'm not sure which team would like to own this Canonical-side, perhaps Server. I'm writing this MIR as a community member. ✅ This does not use static builds ✅ This does not use vendored code ✅ This package is not Rust-based ✅ The package has been built within the last 3 months in the archive Build link: https://launchpad.net/ubuntu/+source/nghttp3/1.6.0-2 ** Affects: nghttp3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2098797 Title: [MIR] nghttp3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp3/+bug/2098797/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
