Public bug reported: [Availability] The package dav1d is already in Ubuntu universe since Ubuntu Jammy. The package dav1d build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 amd64v3 arm64 armhf i386 ppc64el riscv64 s390x Link to package https://launchpad.net/ubuntu/+source/dav1d
[Rationale] - The package dav1d is required in Ubuntu main for libdav1d7 - The package dav1d will not generally be useful for a large part of our user base, but is useful for providing performant AV1 decoding to python3-pil. - The package dav1d is a new transitive (libavif16) runtime dependency of package python3-pil that we already support. - Similar codec is provided by libaom3, which is already in main. - There was a previous MIR which got postponed: https://bugs.launchpad.net/ubuntu/+source/dav1d/+bug/2004446 - This is the first time package will be in main - The binary packages libdav1d7 needs to be in main - All other binary packages built by dav1d should remain in universe - It would be great and useful to community/processes to have the package dav1d in Ubuntu main, but there is no definitive deadline. [Security] - Had 2 medium security issues in the past, which got released by the security team: - https://ubuntu.com/security/CVE-2024-1580 - https://ubuntu.com/security/CVE-2023-32570 - Check for security relevant binaries, services and behavior. If any are present, this requires a more in-depth security review. Demonstrating that common isolation/risk-mitigation patterns are used will help to raise confidence. For example a service running as root open to the network will need to be considered very carefully. The same service dropping the root permissions after initial initialization, using various systemd isolation features and having a default active apparmor profile is much less concerning and can speed up acceptance. This helps Ubuntu, but you are encouraged to consider working with Debian and upstream to get those security features used at wide scale. - It might be impossible for the submitting team to check this perfectly (the security team will), but you should be aware that deprecated security algorithms like 3DES or TLS/SSL 1.1 are not acceptable. If you think a package might do that it would be great to provide a hint for the security team like "Package may use deprecated crypto" and provide the details you have about that. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Packages does contain extensions to security-sensitive software: the package provides AV1 video codec which processes untrusted input [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs: - Ubuntu https://bugs.launchpad.net/ubuntu/+source/dav1d/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=TBDSRC - Upstream https://code.videolan.org/videolan/dav1d/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail - The package does not run an autopkgtest [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - W: dav1d source: orig-tarball-missing-upstream-signature dav1d_1.5.2.orig.tar.xz - P: dav1d source: maintainer-manual-page [debian/dav1d.1] - Recent build: https://launchpad.net/ubuntu/+source/dav1d/1.5.2-1/+build/31464849/+files/buildlog_ubuntu-resolute-amd64.dav1d_1.5.2-1_BUILDING.txt.gz - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy https://git.launchpad.net/ubuntu/+source/dav1d/tree/debian/rules [UI standards] - Application is not end-user facing (does not need translation) - End-user applications without desktop file, not needed because TBD [Dependencies] - Used check-mir from ubuntu-dev-tools to validate all dependencies or recommends are in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be debcrafters and I have their acknowledgment for that commitment - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link https://launchpad.net/ubuntu/+source/dav1d/1.5.2-1 - This change will not impact other teams [Background information] The Package description explains the package well Upstream Name is dav1d Link to upstream project https://code.videolan.org/videolan/dav1d ** Affects: dav1d (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2133757 Title: [MIR] dav1d (transitive depends of libavif -> pillow) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dav1d/+bug/2133757/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
