Public bug reported: [Availability] The package Restic is already in Ubuntu universe. The package Restic build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 amd64v3 arm64 armhf ppc64el riscv64 s390x Link to package https://launchpad.net/ubuntu/+source/restic
[Rationale] - The package Restic is a new runtime dependency of package Deja-Dup that we already support - The package Restic covers the same use case as Duplicity, but is better because, in the words of Deja-Dup's maintainer[1], "it's faster, more reliable and we already have introduced features [in Deja-Dup] that only it supports (FUSE based restores). This is not a 'we support either way' situation, this is a transition", thereby we want to replace it. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - This is the first time package will be in main - The binary package Restic needs to be in main to support Deja-Dup's transition to it. - All other binary packages built by Restic (namely Restic-dbgsym) should remain in universe - It would be great and useful to community/processes to have the package Restic in Ubuntu main, but there is no definitive deadline. [Security] - Had 1 security issue in the past - https://security-tracker.debian.org/tracker/CVE-2020-9283 The issue was actually in golang.org/x/crypto and so it could be handled by Debian rebuilding it against the fixed module. This is an educated guess because it says "fixed in 0.3.3-1+deb9u1" but that version is not to be found in debian/changelog[2]. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: Restic uses cryptography to guarantee confidentiality and integrity of user's data. The location the backup data is stored is assumed not to be a trusted environment (e.g. a shared space where others like system administrators are able to access your backups). Restic is built to secure user's data against such attackers.[3] - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) - Package is using crypto/tls[4] (TLS 1.2) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/restic/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=restic - Upstream's bug tracker https://github.com/restic/restic/issues - The package has important open bugs, listing them: - https://github.com/restic/restic/issues/2659 - https://github.com/restic/restic/issues/5543 - The package does not deal with exotic hardware we cannot support RULE: This is about confidence to be able to maintain the package, therefore RULE: any option (the examples or anything else you add) is "valid", but it RULE: depends on the case if that is then considered sufficient. RULE: The following examples are in descending order in regard to how "ok" they RULE: likely will be. TODO-B1: - testflinger under the following queue(s): TBD TODO-B2: - (multiple) Canonical systems in the TBD computing center/lab TODO-B3: - an engineering sample in engineers home on TBD team, manager TBD TODO-B4: - (multiple) cloud providers as type: TBD TODO-B5: - hopefully somewhen getting it due to TBD [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log [5] - The package does not run an autopkgtest but it was just very recently suggested to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122293 - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Recent build log of the package[5] - `lintian --pedantic` is empty. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to debian/rules[6] [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - Used check-mir from ubuntu-dev-tools to validate all dependencies or recommends are in main. Only fuse is in universe, but that's a transitional package to fuse3, which is in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - I Suggest the owning team to be ubuntu-desktop - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/restic/0.18.1-1 - This change will not impact other teams [Background information] - The Package description explains the package well - Upstream Name is Restic - Link to upstream project https://github.com/restic/restic - Bug originating this MIR: LP:2120709 [1]https://bugs.launchpad.net/ubuntu/+source/deja-dup/+bug/2120709/comments/13 [2]https://salsa.debian.org/go-team/packages/restic/-/blob/master/debian/changelog?ref_type=heads [3]https://sources.debian.org/src/restic/0.18.1-1/README.md#L75 [4]https://pkg.go.dev/crypto/tls [5]https://launchpadlibrarian.net/828680190/buildlog_ubuntu-resolute-amd64.restic_0.18.1-1_BUILDING.txt.gz [6]https://sources.debian.org/src/restic/0.18.1-1/debian/rules ** Affects: restic (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2134530 Title: MIR for Restic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/restic/+bug/2134530/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
