** Description changed: [Availability] The package libfyaml is already in Ubuntu universe. The package libfyaml build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 amd64v3 arm64 armhf ppc64el riscv64 s390x Link to package https://launchpad.net/ubuntu/+source/libfyaml [Rationale] - The package libfyaml is required in Ubuntu main as a new library for parsing YAML - The package libfyaml will not generally be useful for a large part of our user base, but is important/helpful still because it is a library linked by other projects - Package libfyaml covers the same use case as libyaml, but is better because: - It provides a better C API - It is better maintained - It has faster parsing speed than libyaml - It is YAML 1.2 compmliant while libyaml is not - This helps a lot with making the code more secure and deterministic - This means that libfyaml is also a powerful JSON parser, which is now a subset of YAML 1.2 - It provides a zero-copy API which significantly reduces the memory used while parsing and generating YAML. - This helps when libfyaml is used by appstream to parse very large YAML files like the AppStream data used to populate deb software stores like GNOME Software, Plasma Discover (and possibly the Ubuntu App Center in the future) - - The package libfyaml is a new runtime dependency of package - libappstream-compose0 that we already support + - The package libfyaml is a new runtime dependency of packages libappstream5 + and libappstream-compose0 that we already support - Some other projects are already considering to port over to libfyaml: - https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2078759/comments/36 - We cannot fully replace libyaml because it still too many users that would need to be ported, so both libraries would need to exist in main for a while - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - Porting all users of libyaml to libfyaml is a massive undertaking and risks introducing issues if not done by the respective upstreams. - Porting appstream back from libfyaml to libyaml is an equally large undertaking, as the changes are large and the project has already started using the new features of the libfyaml API. - Freezing appstream to an older version that still uses libyaml is not ideal. That would mean potentially freezing it forever. - This is the first time package will be in main - The binary packages libfyaml0 needs to be in main to satisfy a dependency - from libappstream-compose0 + from libappstream5 and libappstream-compose0 - All other binary packages built by libfyaml should remain in universe - The package libfyaml is required in Ubuntu main no later than Feb 19 - due to Resolut Raccoon feature freeze. + due to Resolute Raccoon feature freeze. [Security] - No CVEs in this software in the past - Some reported and addressed memory corruption issues: - https://github.com/pantoniou/libfyaml/issues/122 - https://github.com/pantoniou/libfyaml/issues/123 - https://github.com/pantoniou/libfyaml/issues/118 - https://github.com/pantoniou/libfyaml/issues/120 - https://github.com/pantoniou/libfyaml/issues/121 - https://github.com/pantoniou/libfyaml/issues/119 - https://github.com/pantoniou/libfyaml/issues/101 - https://github.com/pantoniou/libfyaml/issues/57 - https://github.com/pantoniou/libfyaml/issues/56 - Some reported and to-date unaddressed memory corruption issues: - https://github.com/pantoniou/libfyaml/issues/134 - https://github.com/pantoniou/libfyaml/issues/135 - https://github.com/pantoniou/libfyaml/issues/132 - https://github.com/pantoniou/libfyaml/issues/138 - https://github.com/pantoniou/libfyaml/issues/133 - https://github.com/pantoniou/libfyaml/issues/128 - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libfyaml/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libfyaml - Upstream's bug tracker: https://github.com/pantoniou/libfyaml/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, https://launchpadlibrarian.net/827289425/buildlog_ubuntu-resolute-amd64.libfyaml_0.9-2_BUILDING.txt.gz - The package does not run an autopkgtest because upstream does not provide an installed-tests testsuite; but one could be implemented downstream. - The libyaml0 package is also tested by the appstream package at build-time: see "as-test_yaml" at https://launchpadlibrarian.net/827477512/buildlog_ubuntu-resolute-amd64.appstream_1.1.1-1_BUILDING.txt.gz [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - https://launchpadlibrarian.net/827289425/buildlog_ubuntu-resolute-amd64.libfyaml_0.9-2_BUILDING.txt.gz - lintian --pedantic: https://bugs.launchpad.net/ubuntu/+source/libfyaml/+bug/2131216/comments/2 - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, https://salsa.debian.org/jlblancoc/libfyaml- gbp/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - Used check-mir from ubuntu-dev-tools to validate all dependencies or recommends are in main. [Standards compliance] - This package correctly follows FHS and Debian Policy - libfyaml0/libfyaml-dev contain some GPL-2 symbols, despite the library being MIT-licensed. That implies that users of the library may be inadvertently violating the GPL license. All GPL-2 symbols were stripped in git master already, and I have asked the maintainer to provide a new tagged release in reasonable time for 26.04 - The maintainer tells me a new release is planned by the end of year + The maintainer tells me a new release is planned by the end of year [Maintenance/Owner] - I Suggest the owning team to be debcrafters - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/libfyaml/0.9-2 - This change will not impact other teams [Background information] -The Package description explains the package well - Upstream Name is libfyaml - Link to upstream project https://github.com/pantoniou/libfyaml
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2131216 Title: [MIR] libfyaml To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfyaml/+bug/2131216/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
