Yes my TODO is to add the README.source (and fix the outstanding bugs, but we also need rustc 1.85 first to get the new upstream release) but I think we can go ahead with the review aside from those aspects.
** Description changed: - todo + [Availability] + The package rust-coreutils is already in Ubuntu universe. + The package rust-coreutils build for the architectures it is designed to work on. + It currently builds and works for architectures: (all of them) + Link to package https://launchpad.net/ubuntu/+source/rust-coreutils + + [Rationale] + - The package rust-coreutils is required in Ubuntu main for + strengthening product security, resilience, and safety by adopting + memory-safe replacements for core functionalities as outlined in + Jon Seager's post: + + https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising- + ubuntu/56995 + + - The package rust-coreutils will generally be useful for a large part of + our user base as it will become the new default coreutils + + [Security] + - No CVEs/security issues in this software in the past + - no `suid` or `sgid` binaries + - no executables in `/sbin` and `/usr/sbin` + [chroot used to be in sbin] + + - Package does not install services, timers or recurring jobs + - Security has been kept in mind and common isolation/risk-mitigation + patterns are in place utilizing the following features: + This is using a memory-safe language, eliminating most memory safety + issue. + - Package does not expose any external endpoints + - Packages does not contain extensions to security-sensitive software + (filters, scanners, plugins, UI skins, ...) + + [Quality assurance - function/usage] + - The package works well right after install + + Particularly, when installing coreutils-from-uutils, which is to be the + default. On its own, this provides a single coreutils binary. + + [Quality assurance - maintenance] + - The package is maintained well in Debian/Ubuntu/Upstream and does + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-coreutils + - Upstream's bug tracker, e.g., GitHub Issues + - The package has important open bugs, listing them: + - Lots of coreutils still have some breakage which prevents the default + switch, I won't list them individually. + - The package does not deal with exotic hardware we cannot support + + [Quality assurance - testing] + - The package runs a test suite on build time, if it fails + it makes the build fail, link to build log + https://launchpadlibrarian.net/797298944/buildlog_ubuntu-questing-amd64.rust-coreutils_0.0.30-2ubuntu2_BUILDING.txt.gz + + - The package does not run an autopkgtest because there are no additional + tests. It does trigger a whole bunch of packages; and of course the GNU + coreutils test suite gets triggerd by coreutils-from with coreutils-from-uutils + as the default coreutils provider. + + [Quality assurance - packaging] + - debian/watch is not present, instead it has "cargo magic" + - debian/control defines a correct Maintainer field + + - Please link to a recent build log of the package https://launchpadlibrarian.net/797298944/buildlog_ubuntu-questing-amd64.rust-coreutils_0.0.30-2ubuntu2_BUILDING.txt.gz + - Please attach the full output you have got from + `lintian --pedantic` as an extra post to this bug: + + it's just: + + W: rust-coreutils: bad-whatis-entry [usr/share/man/man1/rust-coreutils.1.gz] + W: rust-coreutils: debian-changelog-line-too-long [usr/share/doc/rust-coreutils/changelog.Debian.gz:9] + W: rust-coreutils: no-manual-page [usr/bin/coreutils] + + aka rust-coreutils is the manpage for coreutils and it's a bit weird. + + - Lintian overrides are not present + + - This package does not rely on obsolete or about to be demoted packages. + - This package has no python2 or GTK2 dependencies + + - The package will be installed by default, but does not ask debconf + questions + - Packaging and build is easy, link to debian/rules + https://git.launchpad.net/ubuntu/+source/rust-coreutils/tree/debian/rules?h=ubuntu/questing-devel + The vendoring is the most part :D + + [UI standards] + The situation is a bit more complex than the template allows for; coreutils + are *somewhat* user interfacing - for terminal users. + + Translation support is being added, but sadly it uses "Fluent" which is + not compatible with Launchpad's translation service, which is going to need + some more work to see how we can translate from ftl to pot, produce po and + then translate back to ftl such that we can ship translations in language + packs. + + [Dependencies] + - No further depends or recommends dependencies that are not yet in main + [Rust dependencies are vendored per Rust MIR policy] + + [Standards compliance] + - This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + - The owning team will be foundations-bugs and I have their acknowledgement for + that commitment + - I Suggest the owning team to be debcrafters-packages starting 26.10 + + - The team foundations is aware of the implications by a static build and + commits to test no-change-rebuilds and to fix any issues found for the + lifetime of the release (including ESM) + + - The team foundations is aware of the implications of vendored code and (as + alerted by the security team) commits to provide updates and backports + to the security team for any affected vendored code for the lifetime + of the release (including ESM). + + - This package uses vendored rust code tracked in Cargo.lock as shipped, + in the *source* package (it produces a single binary, no crates), refreshing + that code is outlined in debian/README.source + [FIXME: I don't have a README.source] + + - This package is rust based and vendors all non language-runtime + dependencies + + - The package has been built within the last 3 months in the archive + - Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-coreutils/0.0.30-2ubuntu2 + + [Background information] + The Package description explains the package well + Upstream Name is coreutils (same as GNU one) + Link to upstream project https://github.com/uutils/coreutils ** Changed in: rust-coreutils (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2111815 Title: [MIR] rust-coreutils To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2111815/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
