** Description changed: [Availability] The package Restic is already in Ubuntu universe. The package Restic build for the architectures it is designed to work on. It currently builds and works for architectures: amd64 amd64v3 arm64 armhf ppc64el riscv64 s390x Link to package https://launchpad.net/ubuntu/+source/restic [Rationale] - The package Restic is a new runtime dependency of package Deja-Dup that - we already support + we already support - The package Restic covers the same use case as Duplicity, but is better because, in the words of Deja-Dup's maintainer[1], "it's faster, more reliable and we already have introduced features [in Deja-Dup] that only it supports (FUSE based restores). This is not a 'we support either way' situation, this is a transition", thereby we want to replace it. - There is no other/better way to solve this that is already in main or - should go universe->main instead of this. + should go universe->main instead of this. - This is the first time package will be in main - The binary package Restic needs to be in main to support Deja-Dup's transition - to it. + to it. - All other binary packages built by Restic (namely Restic-dbgsym) should remain in universe - It would be great and useful to community/processes to have the package Restic in Ubuntu main, but there is no definitive deadline. - [Security] - Had 1 security issue in the past - - https://security-tracker.debian.org/tracker/CVE-2020-9283 - The issue was actually in golang.org/x/crypto and so it could be handled - by Debian rebuilding it against the fixed module. This is an educated guess - because it says "fixed in 0.3.3-1+deb9u1" but that version is not to be - found in debian/changelog[2]. - + - https://security-tracker.debian.org/tracker/CVE-2020-9283 + The issue was actually in golang.org/x/crypto and so it could be handled + by Debian rebuilding it against the fixed module. This is an educated guess + because it says "fixed in 0.3.3-1+deb9u1" but that version is not to be + found in debian/changelog[2]. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation - patterns are in place utilizing the following features: - Restic uses cryptography to guarantee confidentiality and - integrity of user's data. The location the backup data is stored is assumed - not to be a trusted environment (e.g. a shared space where others like - system administrators are able to access your backups). Restic is - built to secure user's data against such attackers.[3] - + patterns are in place utilizing the following features: + Restic uses cryptography to guarantee confidentiality and + integrity of user's data. The location the backup data is stored is assumed + not to be a trusted environment (e.g. a shared space where others like + system administrators are able to access your backups). Restic is + built to secure user's data against such attackers.[3] - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software - (filters, scanners, plugins, UI skins, ...) + (filters, scanners, plugins, UI skins, ...) - Package is using crypto/tls[4] (TLS 1.2) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does - not have too many, long-term & critical, open bugs - - Ubuntu https://bugs.launchpad.net/ubuntu/+source/restic/+bug - - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=restic - - Upstream's bug tracker https://github.com/restic/restic/issues + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/restic/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=restic + - Upstream's bug tracker https://github.com/restic/restic/issues - The package has important open bugs, listing them: - - https://github.com/restic/restic/issues/2659 - - https://github.com/restic/restic/issues/5543 + - https://github.com/restic/restic/issues/2659 + - https://github.com/restic/restic/issues/5543 - The package does not deal with exotic hardware we cannot support - RULE: This is about confidence to be able to maintain the package, therefore - RULE: any option (the examples or anything else you add) is "valid", but it - RULE: depends on the case if that is then considered sufficient. - RULE: The following examples are in descending order in regard to how "ok" they - RULE: likely will be. - TODO-B1: - testflinger under the following queue(s): TBD - TODO-B2: - (multiple) Canonical systems in the TBD computing center/lab - TODO-B3: - an engineering sample in engineers home on TBD team, manager TBD - TODO-B4: - (multiple) cloud providers as type: TBD - TODO-B5: - hopefully somewhen getting it due to TBD + [Quality assurance - testing] - The package runs a test suite on build time, if it fails - it makes the build fail, link to build log [5] - + it makes the build fail, link to build log [5] - The package does not run an autopkgtest but it was just very recently suggested to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122293 - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Recent build log of the package[5] - `lintian --pedantic` is empty. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to debian/rules[6] - [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - Used check-mir from ubuntu-dev-tools to validate - all dependencies or recommends are in main. - Only fuse is in universe, but that's a transitional package to fuse3, which is in main. - + all dependencies or recommends are in main. + Only fuse is in universe, but that's a transitional package to fuse3, which is in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - I Suggest the owning team to be ubuntu-desktop - The future owning team is not yet subscribed, but will subscribe to - the package before promotion + the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/restic/0.18.1-1 - This change will not impact other teams [Background information] - The Package description explains the package well - Upstream Name is Restic - Link to upstream project https://github.com/restic/restic - Bug originating this MIR: LP:2120709 [1]https://bugs.launchpad.net/ubuntu/+source/deja-dup/+bug/2120709/comments/13 [2]https://salsa.debian.org/go-team/packages/restic/-/blob/master/debian/changelog?ref_type=heads [3]https://sources.debian.org/src/restic/0.18.1-1/README.md#L75 [4]https://pkg.go.dev/crypto/tls [5]https://launchpadlibrarian.net/828680190/buildlog_ubuntu-resolute-amd64.restic_0.18.1-1_BUILDING.txt.gz [6]https://sources.debian.org/src/restic/0.18.1-1/debian/rules
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2134530 Title: MIR for Restic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/restic/+bug/2134530/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
